Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Share on Diaspora
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.7.2
Recommended Action: Update to version 0.7.2, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Arbitrary Options Update
Patched Version: 1.3.6.2
Recommended Action: Update to version 1.3.6.2, or a newer patched version
Plugin: AFI – The Easiest Integration Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.89.6
Recommended Action: Update to version 1.89.6, or a newer patched version
Plugin: Custom Layouts – Post + Product grids made easy
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: The Ultimate Video Player For WordPress – by Presto Player
Vulnerability: Missing Authorization
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: WP Dashboard Notes
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: WP Job Openings – Job Listing, Career Page and Recruitment Plugin
Vulnerability: Missing Authorization
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Missing Authorization
Patched Version: 6.9.4
Recommended Action: Update to version 6.9.4, or a newer patched version
Plugin: Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts
Vulnerability: Missing Authorization
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.15.7
Recommended Action: Update to version 1.15.7, or a newer patched version
Plugin: WPC Frequently Bought Together for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version
Plugin: Theme My Login
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 7.1.8
Recommended Action: Update to version 7.1.8, or a newer patched version
Plugin: SEO Redirection Plugin – 301 Redirect Manager
Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.83
Recommended Action: Update to version 3.1.83, or a newer patched version
Plugin: Slider by Soliloquy – Responsive Image Slider for WordPress
Vulnerability: Missing Authorization to Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version
Plugin: Void Elementor Post Grid Addon for Elementor Page builder
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Robin image optimizer — save money on image compression
Vulnerability: Missing Authorization
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Flaming Forms
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: tagDiv Opt-In Builder
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Skitter Slideshow
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chatbot with ChatGPT WordPress
Vulnerability: Missing Authorization
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.0.1.1
Recommended Action: Update to version 6.0.1.1, or a newer patched version
Plugin: WP MultiTasking – WP Utilities
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Participants Database
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.5.9.3
Recommended Action: Update to version 2.5.9.3, or a newer patched version
Plugin: Newsletters
Vulnerability: Directory Traversal
Patched Version: 4.6.19
Recommended Action: Update to version 4.6.19, or a newer patched version
Plugin: BP Profile Search
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version
Plugin: Responsive Blocks – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More
Vulnerability: Insufficient Input Validation
Patched Version: 1.6.29
Recommended Action: Update to version 1.6.29, or a newer patched version
Plugin: FormFacade – WordPress plugin for Google Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Sensei LMS – Online Courses, Quizzes, & Learning
Vulnerability: Unauthenticated Email Template Disclosure
Patched Version: 4.24.2
Recommended Action: Update to version 4.24.2, or a newer patched version
Plugin: ParcelPanel (Free to install) – Shipment Tracking, Tracking, and Order Tracking for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version
Plugin: WP Telegram Widget and Join Link
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version
Plugin: Starbox – the Author Box for Humans
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version
Plugin: WP User Manager – User Profile Builder & Membership
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.11
Recommended Action: Update to version 2.9.11, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version
Plugin: JetBlocks for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.12.1
Recommended Action: Update to version 1.3.12.1, or a newer patched version
Plugin: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.26
Recommended Action: Update to version 3.1.26, or a newer patched version
Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version
Plugin: Generate Images (AI) – Magic Post Thumbnail
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Block
Patched Version: 2.2.88
Recommended Action: Update to version 2.2.88, or a newer patched version
Plugin: filedownload
Vulnerability: Blind SQL Injection
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Themify Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Docket (WooCommerce Collections / Wishlist / Watchlist)
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post/Page Deletion
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Docket (WooCommerce Collections / Wishlist / Watchlist)
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Propovoice: All-in-One Client Management System
Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventON
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.17
Recommended Action: Update to version 2.2.17, or a newer patched version
Plugin: Tera Charts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: KBucket: Your Curated Content in WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin
Vulnerability: Unauthenticated PHP Code Injection to Remote Code Execution
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: NinjaTeam Header Footer Custom Code
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.103
Recommended Action: Update to version 3.3.103, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Remote Code Execution
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: WPBakery Page Builder Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: Htaccess by BestWebSoft – WordPress Website Access Control Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Newsletters
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 4.9.9.1
Recommended Action: Update to version 4.9.9.1, or a newer patched version
Plugin: BestWebSoft's LinkedIn
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization to Player Deletion
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: WP2Speed Faster – Optimize PageSpeed Insights Score 90-100
Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Relevanssi – A Better Search
Vulnerability: Unauthenticated Information Exposure
Patched Version: 4.23.0
Recommended Action: Update to version 4.23.0, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: DL Verification
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Aruba HiSpeed Cache
Vulnerability: Missing Authorization
Patched Version: 2.0.13
Recommended Action: Update to version 2.0.13, or a newer patched version
Plugin: Smartsupp – live chat, chatbots, AI and lead generation
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Addons for Beaver Builder – Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.10
Recommended Action: Update to version 1.5.10, or a newer patched version
Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: NinjaTeam Header Footer Custom Code
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via CSS Styles
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Registrations for the Events Calendar – Event Registration Plugin
Vulnerability: Missing Authorization
Patched Version: 2.12.2
Recommended Action: Update to version 2.12.2, or a newer patched version
Plugin: Easy Testimonials
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Missing Authorization
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Admission AppManager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Travel Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript
Vulnerability: Unauthenticated Arbitrary File Uplaod
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Call / Contact Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: Dark Mode for WP Dashboard
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: oik
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.12.1
Recommended Action: Update to version 4.12.1, or a newer patched version
Plugin: Cost Calculator Builder
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version
Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block
Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 2.5.32
Recommended Action: Update to version 2.5.32, or a newer patched version
Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version
Plugin: WooCommerce Product Table Lite
Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version
Plugin: Newsletters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version
Plugin: Simple Local Avatars
Vulnerability: Cross-Site Request Forgery via save_default_avatar_file_id()
Patched Version: 2.7.11
Recommended Action: Update to version 2.7.11, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Status Updates
Patched Version: 3.3.103
Recommended Action: Update to version 3.3.103, or a newer patched version
Plugin: Gallery Plugin for WordPress – Envira Photo Gallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.8.15
Recommended Action: Update to version 1.8.15, or a newer patched version
Plugin: inlinks
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Bootstrap Elements for Elementor
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Unauthenticated Double-Extension Arbitrary File Upload
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: AZIndex
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version
Plugin: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Vulnerability: Missing Authorization via init_endpoint
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stripe Payments For WooCommerce by Checkout Plugins
Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.13.4
Recommended Action: Update to version 2.13.4, or a newer patched version
Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.62
Recommended Action: Update to version 2.3.62, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via TP Page Scroll Widget
Patched Version: 5.6.3
Recommended Action: Update to version 5.6.3, or a newer patched version
Plugin: SVG Support
Vulnerability: Authenticated (Author+) Cross-Site Scripting via SVG
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.19.1
Recommended Action: Update to version 1.19.1, or a newer patched version
Plugin: Login As Users
Vulnerability: Authentication Bypass
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.9
Patched Version: 2.13.10
Recommended Action: Update to version 2.13.10, or a newer patched version
Plugin: Cookie Notice & Compliance for GDPR / CCPA
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.18
Recommended Action: Update to version 2.4.18, or a newer patched version
Plugin: Build App Online
Vulnerability: Authentication Bypass via Header
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Selection Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version
Plugin: tagDiv Opt-In Builder
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Asset CleanUp: Page Speed Booster
Vulnerability: Missing Authorization
Patched Version: 1.3.9.4
Recommended Action: Update to version 1.3.9.4, or a newer patched version
Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Vulnerability: Missing Authorization to Player Update
Patched Version: 2.0.74
Recommended Action: Update to version 2.0.74, or a newer patched version
Plugin: Modal Window – create popup modal window
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version
Plugin: JetElements
Vulnerability: Authenticated (Contributor+) Arbitrary Local File Inclusion
Patched Version: 2.6.20.1
Recommended Action: Update to version 2.6.20.1, or a newer patched version
Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.4.17
Recommended Action: Update to version 1.4.17, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.1.3
Recommended Action: Update to version 9.1.3, or a newer patched version
Plugin: InPost PL
Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Read and Delete
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.0.38
Recommended Action: Update to version 4.0.38, or a newer patched version
Plugin: WP Content Copy Protection & No Right Click (PRO)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 15.3
Recommended Action: Update to version 15.3, or a newer patched version
Plugin: Order Tracking – WordPress Status Tracking Plugin
Vulnerability: Missing Authorization via send_test_email()
Patched Version: 3.3.12b
Recommended Action: Update to one of the following versions, or a newer patched version: 3.3.12b, 3.3.13
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: 4.7.2
Patched Version: 4.7.2.1
Recommended Action: Update to version 4.7.2.1, or a newer patched version
Plugin: Tutor LMS Elementor Addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Course Carousel Widget
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: White Label CMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: PowerPack for Beaver Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.37.4
Recommended Action: Update to version 2.37.4, or a newer patched version
Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Appointment Hour Booking – WordPress Booking Plugin
Vulnerability: Missing Authorization to Double Booking
Patched Version: 1.4.24
Recommended Action: Update to version 1.4.24, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited File Deletion
Patched Version: 3.14.2
Recommended Action: Update to version 3.14.2, or a newer patched version
Plugin: Advanced Cron Manager – debug & control
Vulnerability: Missing Authorization
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.4.3
Recommended Action: Update to version 1.4.4.3, or a newer patched version
Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block
Vulnerability: Missing Authorization
Patched Version: 2.5.31
Recommended Action: Update to version 2.5.31, or a newer patched version
Plugin: WP Data Access – App, Table, Form and Chart Builder plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.9
Recommended Action: Update to version 5.5.9, or a newer patched version
Plugin: Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.16
Recommended Action: Update to version 2.6.16, or a newer patched version
Plugin: Photo Engine (Media Organizer & Lightroom)
Vulnerability: Missing Authorization
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version
Plugin: WP Last Modified Info
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Insert PHP Code Snippet
Vulnerability: Cross-Site Request Forgery to Code Snippet Activate/Deactivate/Deletion
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: LoginWP (Formerly Peter's Login Redirect)
Vulnerability: Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: PDF & Print by BestWebSoft – WordPress Posts and Pages PDF Generator Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting
Patched Version: 2.15.1
Recommended Action: Update to version 2.15.1, or a newer patched version
Plugin: Structured Content (JSON-LD) #wpsc
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: All Bootstrap Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.20
Recommended Action: Update to version 1.3.20, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress
Vulnerability: LMS <= 1.11.4
Patched Version: 1.11.5
Recommended Action: Update to version 1.11.5, or a newer patched version
Plugin: Void Contact Form 7 Widget For Elementor Page Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Unauthenticated PHP Object Injection to Remote Code Execution
Patched Version: 3.14.2
Recommended Action: Update to version 3.14.2, or a newer patched version
Plugin: wpsection
Vulnerability: Authenticated (Contributor+) Local File Inlcusion
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: BackWPup – WordPress Backup & Restore Plugin
Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Custom Field For WP Job Manager
Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 3.3.101
Recommended Action: Update to version 3.3.101, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: CM Tooltip Glossary
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version
Plugin: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.1
Recommended Action: Update to version 0.7.1, or a newer patched version
Plugin: DL Robots.txt
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OTA Sync Booking Engine Widget
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Mini Cart Drawer For WooCommerce
Vulnerability: Missing Authorization via AJAX
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: WP Table Builder – WordPress Table Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: WP MultiTasking – WP Utilities
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP MultiTasking – WP Utilities
Vulnerability: Cross-Site Request Forgery to Exit Popup Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AdRotate Banner Manager – The only ad manager you'll need
Vulnerability: Authenticated (Admin+) Double Extension Arbitrary File Upload
Patched Version: 5.13.3
Recommended Action: Update to version 5.13.3, or a newer patched version
Plugin: JetSearch
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.2.1
Recommended Action: Update to version 3.5.2.1, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Missing Authorization to Limited Information Exposure
Patched Version: 3.14.0
Recommended Action: Update to version 3.14.0, or a newer patched version
Plugin: Clever Addons for Elementor
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: DN Popup
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.5.9
Recommended Action: Update to version 3.5.9, or a newer patched version
Plugin: JetTabs for Elementor
Vulnerability: Authenticated (Contributor+) Arbitrary Local File Inclusion
Patched Version: 2.2.3.1
Recommended Action: Update to version 2.2.3.1, or a newer patched version
Plugin: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
Vulnerability: Missing Authorization
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: WP-Lister Lite for eBay
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Authenticated (Contributor+) SQL Injection via model_number Parameter
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Missing Authorization
Patched Version: 1.2.16
Recommended Action: Update to version 1.2.16, or a newer patched version
Plugin: Opti Marketing
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StreamCast – Radio Player for WordPress
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.27
Recommended Action: Update to version 1.15.27, or a newer patched version
Plugin: Invite Anyone
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: Football Pool
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.11.10
Recommended Action: Update to version 2.11.10, or a newer patched version
Plugin: Filr – Secure document library
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Clone
Vulnerability: Missing Authorization
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: KBucket: Your Curated Content in WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Snapshot Backup
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin
Vulnerability: Missing Authorization
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: WP Like Button
Vulnerability: Missing Authorization
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Unauthenticated Open Redirect
Patched Version: 10.9
Recommended Action: Update to version 10.9, or a newer patched version
Plugin: Short URL
Vulnerability: Cross-Site Request Forgery via configuration_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: Missing Authorization
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version
Plugin: Mail Masta
Vulnerability: SQL Injection via id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Zephyr Project Manager
Vulnerability: Authenticated (Subscriber+) Limited Privilege Escalation
Patched Version: 3.3.102
Recommended Action: Update to version 3.3.102, or a newer patched version
Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages
Vulnerability: Authenticated (Editor+) Local File Inlcusion
Patched Version: 1.5.2.1
Recommended Action: Update to version 1.5.2.1, or a newer patched version
Plugin: Stripe Payments For WooCommerce by Checkout Plugins
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.4.10
Recommended Action: Update to version 3.4.10, or a newer patched version
Plugin: FormCraft – Form Builder
Vulnerability: Missing Authorization
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.26.9
Recommended Action: Update to version 1.26.9, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.9.3
Recommended Action: Update to version 1.3.9.3, or a newer patched version
Plugin: ConvertPlus
Vulnerability: Unauthorized Account Creation
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: WP MultiTasking – WP Utilities
Vulnerability: Cross-Site Request Forgery to SMTP Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
Vulnerability: Gutenberg Blocks
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Missing Authorization via remove_feedbacktool_notice()
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Event Tickets with Ticket Scanner
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: Pocket Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Card Elements for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: System Dashboard
Vulnerability: Reflected Cross-Site Scripting via X-Forwarded-For
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version
Plugin: Bold Timeline Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: JetElements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.20.1
Recommended Action: Update to version 2.6.20.1, or a newer patched version
Plugin: Graphina – Elementor Charts and Graphs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Missing Authorization
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Flaming Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Floating Contact Button
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: WordPress Webinar Plugin – WebinarPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.33.21
Recommended Action: Update to version 1.33.21, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 1.4.2.1
Recommended Action: Update to version 1.4.2.1, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.87
Recommended Action: Update to version 2.2.87, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Authentication Bypass to Account Takeover
Patched Version: 4.15.3
Recommended Action: Update to version 4.15.3, or a newer patched version
Plugin: SpeedyCache – Cache, Optimization, Performance
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version
Plugin: Slideshow, Image Slider by 2J
Vulnerability: Reflected Cross-Site Scripting via ‘post’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Missing Authorization to Unauthenticated Event Settings Update
Patched Version: 3.14.0
Recommended Action: Update to version 3.14.0, or a newer patched version
Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.2.29
Recommended Action: Update to version 2.2.29, or a newer patched version
Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Vulnerability: 2.13.4
Patched Version: 2.13.5
Recommended Action: Update to version 2.13.5, or a newer patched version
Plugin: Cryptocurrency Widgets – Price Ticker & Coins List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Export Products, Order & Customers for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version
Plugin: AZIndex
Vulnerability: Cross-Site Request Forgery to Index Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Share
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Crelly Slider
Vulnerability: Arbitrary File Upload
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Flamix: Bitrix24 and Contact Form 7 integrations
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: ووکامرس فارسی
Vulnerability: Missing Authorization
Patched Version: 9.0.0
Recommended Action: Update to version 9.0.0, or a newer patched version
Plugin: Download Plugins and Themes in ZIP from Dashboard
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: Weblizar Pin Feeds
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Patched Version: 4.24.9
Recommended Action: Update to version 4.24.9, or a newer patched version
Plugin: Build App Online
Vulnerability: Missing Authorization Authenticated(Subscriber+) Arbitrary Options Update
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version
Plugin: TypeSquare Webfonts for エックスサーバー
Vulnerability: Missing Authorization via typesquare_admin_init()
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Masteriyo LMS – eLearning and Online Course Builder for WordPress
Vulnerability: LMS <= 1.11.6
Patched Version: 1.12.0
Recommended Action: Update to version 1.12.0, or a newer patched version
Plugin: Waitlist Woocommerce ( Back in stock notifier )
Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Plugin Notes Plus
Vulnerability: Authenticated (Subscriber+) Arbitrary Note Deletion
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: WP MultiTasking – WP Utilities
Vulnerability: Cross-Site Request Forgery to Welcome Popup Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Missing Authorization
Patched Version: 1.0.97
Recommended Action: Update to version 1.0.97, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: JavaScript Code Injection
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.19.1
Recommended Action: Update to version 1.19.1, or a newer patched version
Plugin: Child Theme Creator by Orbisius
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Football Pool
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Missing Authorization
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated Information Exposure
Patched Version: 23.1.3
Recommended Action: Update to version 23.1.3, or a newer patched version
Plugin: Sheet to Table Live Sync for Google Sheet
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via STWT_Sheet_Table Shortcode
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Team Showcase
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.22.24
Recommended Action: Update to version 1.22.24, or a newer patched version
Plugin: E2Pdf – Export Pdf Tool for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.25.11
Recommended Action: Update to version 1.25.11, or a newer patched version
Plugin: Meta Field Block
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version
Plugin: WP Content Copy Protection & No Right Click (PRO)
Vulnerability: Open Redirect
Patched Version: 15.3
Recommended Action: Update to version 15.3, or a newer patched version
Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.11
Recommended Action: Update to version 3.4.11, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
