Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Comfino Payment Gateway
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP System
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Posti Shipping
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting via generate_notices_html Function
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quran multilanguage Text & Audio
Vulnerability: Reflected Cross-Site Scripting via sourate and lang Parameters
Patched Version: 2.3.22
Recommended Action: Update to version 2.3.22, or a newer patched version
Plugin: Weather Atlas Widget
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TI WooCommerce Wishlist
Vulnerability: Missing Authorization to Unauthenticated Plugin Setup Wizard Access
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Softtemplates For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Property Hive Mortgage Calculator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via price Parameter
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Members – Membership & User Role Editor Plugin
Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version
Plugin: Simple Redirection
Vulnerability: Cross-Site Request Forgery to Arbitrary Site Redirect
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: iChart – Easy Charts and Graphs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: ForumWP – Forum & Discussion Board
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more!
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: User Management
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Prodigy Commerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version
Plugin: Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: WP Media Optimizer (.webp)
Vulnerability: Reflected Cross-Site Scripting via wpmowebp-css-resources and wpmowebp-js-resources Parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update / Data Access
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: El mejor Cluster
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Plugin: Wot Elementor Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Intro Tour Tutorial DeepPresentation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: Photo Video Store
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Minimum and Maximum Quantity for WooCommerce
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Log Action
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.52
Recommended Action: Update to version 0.52, or a newer patched version
Plugin: Additional Custom Order Status for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: CLUEVO LMS, E-Learning Platform
Vulnerability: Cross-Site Request Forgery to Module Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP MathJax
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: Lenxel Core
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: LUNA RADIO PLAYER
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.24.11.15
Recommended Action: Update to version 6.24.11.15, or a newer patched version
Plugin: Chatter
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Friendly Functions for Welcart
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: WP Private Content Plus
Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KiviCare – Clinic & Patient Management System (EHR)
Vulnerability: Authenticated (Doctor/Receptionist+) SQL Injection
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Easy Code Snippets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Random Banner
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sparkle Elementor Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ni WooCommerce Order Export
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Knowledge Base documentation & wiki plugin – BasePress Docs
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Database Update
Patched Version: 2.16.3.4
Recommended Action: Update to version 2.16.3.4, or a newer patched version
Plugin: Ultimate Coming Soon & Maintenance
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Template Name Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DancePress (TRWA)
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pixobe Cartography
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TWChat – Send or receive messages from users
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Breadcrumbs
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 워드프레스 결제 심플페이 – 우커머스 결제 플러그인
Vulnerability: Reflected Cross-Site Scripting via add_query_arg Parameter
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version
Plugin: Web Bricks Addons for Elementor: Elite-Designed Elementor & eCommerce Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: Stripe Donation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Login
Vulnerability: Authentication Bypass
Patched Version: 5.10.0
Recommended Action: Update to version 5.10.0, or a newer patched version
Plugin: WP Hide & Security Enhancer
Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Contents Deletion
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: WP Private Content Plus
Vulnerability: Protection Mechanism Bypass
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: WP Mermaid
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Capitalize My Title WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pie Register – Social Sites Login (Add on)
Vulnerability: Authentication Bypass
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Designer – Addons for Elementor
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lenxel Core
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Swift Performance Lite
Vulnerability: Unauthenticated Local PHP File Inclusion via ‘ajaxify’
Patched Version: 2.3.7.2
Recommended Action: Update to version 2.3.7.2, or a newer patched version
Plugin: Newsletter, Email Marketing, Email Subscriber – Mail Picker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lenxel Core
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Tickets with Ticket Scanner
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: SpatialMatch IDX
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Button Plus
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Country Blocker
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WIP WooCarousel Lite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Pojo Forms
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution via form_preview_shortcode
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: Elementor Image Gallery Plugin ( Masonry Gallery, Elementor Gallery Plugin With Captions, Elementor Portfolio Gallery Widget, Filterable Gallery )
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI Quiz | Quiz Maker
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KiviCare – Clinic & Patient Management System (EHR)
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Best Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tithe.ly Giving Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Message Filter for Contact Form 7
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Filter Updates/Deletions
Patched Version: 1.6.3.1
Recommended Action: Update to version 1.6.3.1, or a newer patched version
Plugin: Clickbank WordPress Plugin (Storefront)
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mins To Read
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Header and Footer
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Splash Sync
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Builder by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode
Patched Version: 4.10.5
Recommended Action: Update to version 4.10.5, or a newer patched version
Plugin: Yahoo! WebPlayer
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quotes llama
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.137
Recommended Action: Update to version 1.2.137, or a newer patched version
Plugin: Unlock Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Vulnerability: 1.9.2.1
Patched Version: 1.9.2.2
Recommended Action: Update to version 1.9.2.2, or a newer patched version
Plugin: Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: FooGallery Premium
Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 2.4.27
Recommended Action: Update to version 2.4.27, or a newer patched version
Plugin: Ni WooCommerce Cost Of Goods
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ABCBiz Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Zooom
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: REST API TO MiniProgram
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes Blocks Creator Ultimate
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DN Shipping by Weight for WooCommerce
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Beautiful taxonomy filters
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CultBooking Hotel Booking Engine
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Course Material Sensitive Information Exposure via REST API
Patched Version: 4.2.7.4
Recommended Action: Update to version 4.2.7.4, or a newer patched version
Plugin: Donate Me
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Message Filter for Contact Form 7
Vulnerability: Missing Authorization to Authenticated (Subscriber+) New Filter Creation
Patched Version: 1.6.3.1
Recommended Action: Update to version 1.6.3.1, or a newer patched version
Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms
Vulnerability: HTML Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: ONLYOFFICE Docs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version
Plugin: Smoove connector for Elementor forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: SimpleSchema Free
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Ultimate Gift Card
Vulnerability: Create, Sell and Manage Gift Cards with Customized Email Templates < 2.9.1
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins
Vulnerability: Sensitive Information Exposure
Patched Version: 2.0.59
Recommended Action: Update to version 2.0.59, or a newer patched version
Plugin: KiviCare – Clinic & Patient Management System (EHR)
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: SearchIQ – The Search Solution
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: WDES Responsive Mobile Menu
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Vertical Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Address Obfuscation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Cookielay
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via cookielay Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gold Addons for Elementor
Vulnerability: Missing Authorization to Authenticated (Subscriber+) License Activation/Deactivation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 코드엠샵 소셜톡
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Znajdź Pracę z Praca.pl
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FileOrganizer – Manage WordPress and Website Files
Vulnerability: Authenticated (Administrator+) Local JavaScript File Inclusion
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: SG Helper
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flower Delivery by Florist One
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version
Plugin: REST API TO MiniProgram
Vulnerability: Authenticated (Subscriber+) Media Attachment Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pretty Simple Popup Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Classic Addons – WPBakery Page Builder
Vulnerability: Authenticated (Contributor+) Limited Local PHP File Inclusion
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Event post
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel
Vulnerability: No subtitle
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Friends
Vulnerability: Missing Authorization
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Build App Online
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OTA Sync Booking Engine Widget
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Advanced What should we write next about
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Listdom – Business Directory and Classified Ads Listings WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Parameter
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Login Widget With Shortcode
Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TwentyTwenty
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CardGate Payments for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Email Reminders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Mini Program API
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SMS for Lead Capture Forms
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mega Addons For WPBakery Page Builder
Vulnerability: Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cowidgets – Elementor Addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementsReady Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version
Plugin: Ultimate Coming Soon & Maintenance
Vulnerability: Missing Authorization to Unauthenticated Template Activation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mollie for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Verowa Connect
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: SVGator – Add Animated SVG Easily
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: KiviCare – Clinic & Patient Management System (EHR)
Vulnerability: Authenticated (Patient+) Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Next-Cart Store to WooCommerce Migration
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.4
Recommended Action: Update to version 3.9.4, or a newer patched version
Plugin: WP-SVG
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Folder Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 소셜 공유 버튼 By 코스모스팜
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: REST API TO MiniProgram
Vulnerability: Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version
Plugin: Video Gallery – YouTube Gallery and Vimeo Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Classic Addons – WPBakery Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Out Of Stock Badge
Vulnerability: Cross-Site Request Forgery to Stored Cross-site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Content Audit Exporter
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accessibility by AllAccessible
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Simple Restrict
Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Devnex Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Carousel Slider for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AnyWhere Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Plugin: SV100 Companion
Vulnerability: Missing Authorization to Unuathenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FastBook – Responsive Appointment Booking and Scheduling System
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form, Survey & Form Builder – MightyForms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PayPal Responder
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Umbrella: Update Backup Restore & Monitoring
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version
Plugin: Lead capture, gated content & newsletter opt-ins
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.5.880
Recommended Action: Update to version 7.5.880, or a newer patched version
Plugin: Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal
Vulnerability: Reflected Cross-Site Scripting via monthly_sales_current_year Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multilevel Referral Affiliate Plugin for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Job Manager – Company Profiles
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: turboSMTP
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: ForumWP – Forum & Discussion Board
Vulnerability: Reflected Cross-Site Scripting via url Parameter
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: eDoc Easy Tables – Best WordPress Table Maker
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RRAddons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pulsating Chat Button
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Login With OTP
Vulnerability: Authentication Bypass via Weak OTP
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Watu Quiz
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.4.1.3
Recommended Action: Update to version 3.4.1.3, or a newer patched version
Plugin: Responsive Lightbox & Gallery
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: Shortcodes Blocks Creator Ultimate
Vulnerability: Reflected Cross-Site Scripting via _wpnonce
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Last Viewed Posts by WPBeginner
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: XLTab – Accordions and Tabs for Elementor Page Builder
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: RingCentral Communications Plugin – FREE
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Restrict – membership, site, content and user access restrictions for WordPress
Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Prodigy Commerce
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Third Party Cookie Eraser
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: News Kit Elementor Addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smart PopUp Blaster
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Countdown Timer for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Load More Posts
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Waymark
Vulnerability: Reflected Cross-Site Scripting via ‘content’
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Cross-Site Request Forgery to Poll Duplication
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version
Plugin: Simple Popup Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Broadcast
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 51.02
Recommended Action: Update to version 51.02, or a newer patched version
Plugin: B Testimonial – Testimonial plugin for WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Custom Post Type to Map Store
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Unauthenticated Arbitrary Shortcode Execution via woot_get_smth
Patched Version: 1.0.6.6
Recommended Action: Update to version 1.0.6.6, or a newer patched version
Plugin: float block
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 4.0.52
Recommended Action: Update to version 4.0.52, or a newer patched version
Plugin: Library Management System – Manage e-Digital Books Library
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Player for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Portfolio Builder – Portfolio Gallery
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dollie Hub – Build Your Own WordPress Cloud Platform
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: WP Find Your Nearest
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accounting for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Eleblog – Elementor Blog And Magazine Addons
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Deactivation Submission
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Cross-Site Request Forgery to Account Logout
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: Video Gallery – YouTube Gallery and Vimeo Gallery
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Build App Online
Vulnerability: Account Takeover via Weak Password Reset Mechanism
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version
Plugin: Responsive Videos
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPBITS Addons For Elementor Page Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Feedpress Generator – External RSS Frontend Customizer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Drop Shadow Boxes
Vulnerability: Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.7.15
Recommended Action: Update to version 1.7.15, or a newer patched version
Plugin: WP eCards
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.905
Recommended Action: Update to version 1.3.905, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.9.10
Recommended Action: Update to version 2.9.10, or a newer patched version
Plugin: NPS computy
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: If Menu – Visibility control for Menus
Vulnerability: Missing Authorization to License Key Update
Patched Version: 0.19.2
Recommended Action: Update to version 0.19.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
