Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Photo Engine (Media Organizer & Lightroom)
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version
Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext
Vulnerability: Missing Authorization via Several Functions
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.59.4
Recommended Action: Update to version 3.59.4, or a newer patched version
Plugin: CRM Perks Forms – WordPress Form Builder
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Jetpack Boost – Website Speed, Performance and Critical CSS
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia Pro
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version
Plugin: Translate WordPress with ConveyThis
Vulnerability: Missing Authorization to Limited Option Update
Patched Version: 235
Recommended Action: Update to version 235, or a newer patched version
Plugin: Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.19
Recommended Action: Update to version 2.6.19, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cliengo – Chatbot
Vulnerability: Chatbot <= 3.0.2
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Core: WordPress
Vulnerability: Authenticated(Administrator+) PHP File Upload
Patched Version: 4.1.40
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.40, 4.2.37, 4.3.33, 4.4.32, 4.5.31, 4.6.28, 4.7.28, 4.8.24, 4.9.25, 5.0.21, 5.1.18, 5.2.20, 5.3.17, 5.4.15, 5.5.14, 5.6.13, 5.7.11, 5.8.9, 5.9.9, 6.0.7, 6.1.5, 6.2.4, 6.3.3, 6.4.3
Plugin: Call Now Button – The #1 Click to Call Button for WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: HubSpot Developer API Key Sensitive Information Exposure
Patched Version: 1.29.2
Recommended Action: Update to version 1.29.2, or a newer patched version
Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Vulnerability: Authenticated (Administrator+) Privilege Escalation
Patched Version: 3.3.4.2
Recommended Action: Update to version 3.3.4.2, or a newer patched version
Plugin: Weather Widget Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.41
Recommended Action: Update to version 1.1.41, or a newer patched version
Plugin: Accordion
Vulnerability: Missing Authorization to Authenticated(Contributor+) Post Duplication
Patched Version: 2.2.97
Recommended Action: Update to version 2.2.97, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version
Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
Vulnerability: Missing Authorization to Unauthenticated Ad Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blox Page Builder
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chatbot with ChatGPT WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: WP-PostRatings
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.91.2
Recommended Action: Update to version 1.91.2, or a newer patched version
Plugin: WP Fast Total Search – The Power of Indexed Search
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.69.234
Recommended Action: Update to version 1.69.234, or a newer patched version
Plugin: CTT Expresso para WooCommerce
Vulnerability: Information Exposure via Unprotected Directory
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version
Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.3.1
Recommended Action: Update to version 3.0.3.1, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via redirectURL Parameter of Date Countdown Widget
Patched Version: 2.2.86
Recommended Action: Update to version 2.2.86, or a newer patched version
Plugin: Custom Query Blocks
Vulnerability: Missing Authorization via REST Routes
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin
Vulnerability: Addon for Elementor Page Builder WordPress Plugin <= 7.9.0
Patched Version: 7.9.1
Recommended Action: Update to version 7.9.1, or a newer patched version
Plugin: WooCommerce – PDF Vouchers
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version
Plugin: ArtPlacer Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.21.2
Recommended Action: Update to version 2.21.2, or a newer patched version
Plugin: Happy WooCommerce FAQs & AI FAQ Generator (Formarly XPlainer)
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 23.1.3
Recommended Action: Update to version 23.1.3, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.26
Patched Version: 5.7.27
Recommended Action: Update to version 5.7.27, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated(Student+) HTML Injection via Q&A
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Sign-up Sheets
Vulnerability: Missing Authorization
Patched Version: 2.2.13
Recommended Action: Update to version 2.2.13, or a newer patched version
Plugin: WPBakery Visual Composer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version
Plugin: Advanced File Manager Shortcodes
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Basic Information Exposure via REST route
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version
Plugin: Event Tickets and Registration
Vulnerability: Improper Authorization to Information Disclosure
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: FundEngine – Donation and Crowdfunding Platform
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Message Filter for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Horizontal scrolling announcements
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Banner Link
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: ProfilePro
Vulnerability: Authenticated (Subscriber+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Predictive Search for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version
Plugin: WooCommerce – PDF Vouchers
Vulnerability: Missing Authorization
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version
Plugin: WordPress Menu Plugin — Superfly Responsive Menu
Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 5.0.30
Recommended Action: Update to version 5.0.30, or a newer patched version
Plugin: WooCommerce Add to Cart Custom Redirect
Vulnerability: Authenticated(Contributor+) Missing Authorization to Limited Arbitrary Options Update
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘aux_gmaps’ Shortcode
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version
Plugin: BSK PDF Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: WooCommerce Cloak Affiliate Links
Vulnerability: Missing Authorization to Unauthenticated Permalink Modification
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version
Plugin: WP Mobile Menu – The Mobile-Friendly Responsive Menu
Vulnerability: Missing Authorization to _mobmenu_icon Post Meta Modification
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version
Plugin: Sync Post With Other Site
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Post Creation and Update
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.1
Recommended Action: Update to version 4.7.1, or a newer patched version
Plugin: Spectra Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block IDs
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 6.0.0.2
Recommended Action: Update to version 6.0.0.2, or a newer patched version
Plugin: PVN Auth Popup
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Blocks – WordPress Blocks Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title tag attribute
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Extensions for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via EE Events and EE Flipbox Widget
Patched Version: 2.0.33
Recommended Action: Update to version 2.0.33, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Improper Authorization via submit_review
Patched Version: 5.39.0
Recommended Action: Update to version 5.39.0, or a newer patched version
Plugin: Swift Framework
Vulnerability: No subtitle
Patched Version: 2024.04.30
Recommended Action: Update to version 2024.04.30, or a newer patched version
Plugin: Cooked – Recipe Management
Vulnerability: Cross-Site Request Forgery to Template Apply
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Swift Framework
Vulnerability: No subtitle
Patched Version: 2024.04.30
Recommended Action: Update to version 2024.04.30, or a newer patched version
Plugin: WANotifier – Send Message Notifications Using Cloud API
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: MapFig Studio
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VikRentCar Car Rental Management System
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.2.6.9
Recommended Action: Update to version 4.2.6.9, or a newer patched version
Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘title_tag’
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Sensitive Information Exposure
Patched Version: 1.15.23
Recommended Action: Update to version 1.15.23, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PayTR Taksit Tablosu – WooCommerce
Vulnerability: Improper Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Extensions for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.32
Recommended Action: Update to version 2.0.32, or a newer patched version
Plugin: Lifetime free Drag & Drop Contact Form Builder for WordPress VForm
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Template Kit – Import
Vulnerability: Authenticated(Author+) Stored Cross-Site Scripting via template upload
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version
Plugin: Tin Canny Reporting for LearnDash
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.0.8
Recommended Action: Update to version 4.3.0.8, or a newer patched version
Plugin: Kubio AI Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: WP-Recall – Registration, Profile, Commerce & More
Vulnerability: Unauthenticated Payment Deletion via delete_payment
Patched Version: 16.26.7
Recommended Action: Update to version 16.26.7, or a newer patched version
Plugin: PowerPack for Beaver Builder
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Block Content
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: The Events Calendar
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.6.4
Recommended Action: Update to version 6.6.4, or a newer patched version
Plugin: Social Feed Gallery
Vulnerability: Missing Authorization
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: Meks ThemeForest Smart Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 4.2.6.9
Recommended Action: Update to version 4.2.6.9, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Missing Authorization via get_uri_editor
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version
Plugin: YayExtra – WooCommerce Extra Product Options
Vulnerability: Unauthenticated Arbitrary File Upload via handle_upload_file Function
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.42
Recommended Action: Update to version 1.1.42, or a newer patched version
Plugin: SportsPress – Sports Club & League Manager
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.22
Recommended Action: Update to version 2.7.22, or a newer patched version
Plugin: ArtPlacer Widget
Vulnerability: Missing Authorization to Widget Deletion
Patched Version: 2.21.2
Recommended Action: Update to version 2.21.2, or a newer patched version
Plugin: rtMedia for WordPress, BuddyPress and bbPress
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.6.19
Recommended Action: Update to version 4.6.19, or a newer patched version
Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.98
Recommended Action: Update to version 3.2.98, or a newer patched version
Plugin: WPBakery Visual Composer
Vulnerability: Authenticated (Author+) Local File Inclusion
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version
Plugin: LearnDash LMS – Reports
Vulnerability: Reports Free <= 1.8.2.1
Patched Version: 1.8.2.2
Recommended Action: Update to version 1.8.2.2, or a newer patched version
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: 3.1.45
Patched Version: 3.1.46
Recommended Action: Update to version 3.1.46, or a newer patched version
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 6.11.2
Recommended Action: Update to version 6.11.2, or a newer patched version
Plugin: Cooked – Recipe Management
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: WP Compress – Instant Performance & Speed Optimization
Vulnerability: Missing Authorization to Unauthenticated CDN Modification
Patched Version: 6.11.11
Recommended Action: Update to version 6.11.11, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version
Plugin: PayTR Taksit Tablosu – WooCommerce
Vulnerability: Missing Authorization
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.3.99
Recommended Action: Update to version 3.3.99, or a newer patched version
Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
Vulnerability: Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: DL Yandex Metrika
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress File Upload
Vulnerability: Missing Authorization
Patched Version: 4.24.8
Recommended Action: Update to version 4.24.8, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Authenticated (Author+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Panda Video
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: WooCommerce Customers Manager
Vulnerability: Cross-Site Request Forgery to Customer Deletion via ‘Delete’
Patched Version: 30.1
Recommended Action: Update to version 30.1, or a newer patched version
Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: GutSlider – All in One Block Slider for Gutenberg
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: Panda Video
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via File Upload
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version
Plugin: Meks Smart Author Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Missing Authorization
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version
Plugin: Breakdance
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: TemplateSpare: Build Stunning WordPress Sites Fast – 1000+ News, Blog, eCommerce & Magazine Templates. One-Click Import, Fully Customizable with Gutenberg & Elementor, No Coding Needed.
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Theme Update
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.35
Recommended Action: Update to version 4.10.35, or a newer patched version
Plugin: PowerPack Lite for Beaver Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via element link
Patched Version: 1.3.0.1
Recommended Action: Update to version 1.3.0.1, or a newer patched version
Plugin: Traffic Manager
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: Great Restaurant Menu WP
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Widget
Patched Version: 2.15.6
Recommended Action: Update to version 2.15.6, or a newer patched version
Plugin: Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid
Vulnerability: Authenticated(Contributor+) PHP Object Injection
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Black Widgets For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Easy Property Listings
Vulnerability: Authenticated(Contributor+) SQL Injection via Shortcode
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: Cliengo – Chatbot
Vulnerability: Chatbot <= 3.0.2
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Cards for Beaver Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via bootstrapcard link
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Missing Authorization to reCaptcha Key Modification
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version
Plugin: Filter & Grids
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.34
Recommended Action: Update to version 2.8.34, or a newer patched version
Plugin: Footer Putter
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Missing Authorization to Unauthenticated Message Duplication
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: File Manager Pro – Filester
Vulnerability: Authenticated Plugin Settings Update
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Insert or Embed Articulate Content into WordPress
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 4.3000000024
Recommended Action: Update to version 4.3000000024, or a newer patched version
Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: Dynamic Word Spinner: CSS3 Animated Rotation
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Basic <= 3.8.3.4
Patched Version: 3.8.3.5
Recommended Action: Update to version 3.8.3.5, or a newer patched version
Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: Shopkeeper Extender
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Black Widgets For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version
Plugin: LiquidPoll – Polls, Surveys, NPS and Feedback Reviews
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.78
Recommended Action: Update to version 3.3.78, or a newer patched version
Plugin: WooCommerce – PDF Vouchers
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 4.9.5
Recommended Action: Update to version 4.9.5, or a newer patched version
Plugin: Filter & Grids
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version
Plugin: Happy WooCommerce FAQs & AI FAQ Generator (Formarly XPlainer)
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: PVN Auth Popup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clever Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple CAFE Widgets
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version
Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: PowerPack Pro for Elementor
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.10.15
Recommended Action: Update to version 2.10.15, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 10.8
Recommended Action: Update to version 10.8, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via filename Parameter
Patched Version: 3.3.101
Recommended Action: Update to version 3.3.101, or a newer patched version
Plugin: AZAN Plugin
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version
Plugin: Stackable – Page Builder Gutenberg Blocks
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Posts Block
Patched Version: 3.12.12
Recommended Action: Update to version 3.12.12, or a newer patched version
Plugin: Breakdance
Vulnerability: Missing Authorization
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: AI Engine
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: WooCommerce Customers Manager
Vulnerability: Cross-Site Request Forgery to Customer Deletion
Patched Version: 30.1
Recommended Action: Update to version 30.1, or a newer patched version
Plugin: Chatbot with ChatGPT WordPress
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ajax Search Lite – Live Search & Filter
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.12.2
Recommended Action: Update to version 4.12.2, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Reflected (DOM-Based) Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: Tainacan
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 0.21.8
Recommended Action: Update to version 0.21.8, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via wp-mail.php
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Meks Video Importer
Vulnerability: Missing Authorization to Authenticated (Subscriber+) API Keys Modification
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version
Plugin: Ebook Store
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: News Element Elementor Blog Magazine
Vulnerability: Unauthenticated Local File Inlcusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Remote Content Shortcode
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yumpu E-Paper publishing
Vulnerability: Missing Authorization to PDF Upload, Publishing, and API Key Modification
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce
Vulnerability: Authenticated(Contributor+) PHP Object Injection
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: Swift Framework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2024.04.30
Recommended Action: Update to version 2024.04.30, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.27
Recommended Action: Update to version 5.9.27, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 20.0.6
Recommended Action: Update to version 20.0.6, or a newer patched version
Plugin: Smart Recent Posts Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Table Builder – WordPress Table Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: Missing Authorization
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: WP Tweet Walls
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Unauthenticated HTML Injection
Patched Version: 7.6.22
Recommended Action: Update to version 7.6.22, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘aux_timeline’ Shortcode
Patched Version: 2.15.8
Recommended Action: Update to version 2.15.8, or a newer patched version
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data
Patched Version: 1.0.93.2
Recommended Action: Update to version 1.0.93.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
