Watch Out Wednesday – December 25, 2024

Home » Watch Out Wednesday – December 25, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Ebook Store

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce – PDF Vouchers

Vulnerability: Authentication Bypass
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version

Plugin: Go Animate

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Email Log – PostBox

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Export
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: EELV Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Metrika

Plugin: WPC Shop as a Customer for WooCommerce

Vulnerability: Authentication Bypass Due to Insufficiently Unique Key
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Collapsing Categories

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: ELEX WooCommerce Dynamic Pricing and Discounts

Vulnerability: Missing Authorization
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Ultimate Flipbox Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Nias course | دوره ساز نیاس

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP BASE Booking of Appointments, Services and Events

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via app_export_db
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Order Delivery & Pickup Location Date Time ( Free Version )

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPCargo Track & Trace

Vulnerability: Missing authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ECT Social Share

Plugin: Philantro – Donations and Donor Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title Widget
Patched Version: 1.6.47
Recommended Action: Update to version 1.6.47, or a newer patched version

Plugin: Responsive Blocks – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: Advanced Google reCAPTCHA

Vulnerability: Brute Force Protection IP Unblock
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: WP-Appbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Increase Sociability

Plugin: Tour Master – Tour Booking, Travel, Hotel

Vulnerability: Tour Booking, Travel, Hotel < 5.3.4
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: Biagiotti Membership

Vulnerability: Authentication Bypass via biagiotti_membership_check_facebook_user
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: GeoFlickr

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Posti Shipping

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.10.4
Recommended Action: Update to version 3.10.4, or a newer patched version

Plugin: Quran Phrases About Most People Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Posts Date Ranges

Plugin: Text Prompter – Unlimited chatgpt text prompts for openai tasks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: My IDX Home Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Easy Waveform Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Dr Affiliate

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quietly Insights

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ShMapper by Teplitsa

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Simple Notification

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SeedProd Pro

Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Animation Addons for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Content Slider and Tabs Widget Elementor Template
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Gutensee

Plugin: Jet Footer Code

Plugin: Flaming Forms

Plugin: TagGator

Plugin: Wp NssUser Register

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Primary Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Maintenance & Coming Soon Redirect Animation

Vulnerability: Missing Authorization to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Events Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate

Vulnerability: Missing Authorization
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Youtube Video Grid | Youmax

Plugin: Utech World Time

Plugin: Service

Plugin: Simple Payment

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: ScanCircle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: WPBookit

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot

Vulnerability: Cross-Site Request Forgery via update_integration_option
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: SMSA Shipping (official)

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Point of Sale

Vulnerability: Insecure Direct Object Reference to Privilege Escalation via Arbitrary User Email Change
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: ListApp Mobile Manager

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Arabic Webfonts

Plugin: CRUDLab Google Plus Button

Plugin: LeaderBoard Plugin

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Button Width
Patched Version: 9.8.1
Recommended Action: Update to version 9.8.1, or a newer patched version

Plugin: Tabs Shortcode

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Private Content Plus

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: Insertify – Ad,HTML,CSS,JS,PHP,PDF,Header & Footer

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mollie for Contact Form 7

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NinjaTeam Chat for Telegram

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery to Password Reset
Patched Version: 3.3.44
Recommended Action: Update to version 3.3.44, or a newer patched version

Plugin: Image Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.4.11
Recommended Action: Update to version 4.4.11, or a newer patched version

Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.15.4
Recommended Action: Update to version 2.15.4, or a newer patched version

Plugin: Nabz Image Gallery

Plugin: Responsive Google Maps | by imbaa

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: WP Cookies Enabler

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-HideThat

Plugin: Echoza

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ImageRecycle pdf & image compression

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.17
Recommended Action: Update to version 3.1.17, or a newer patched version

Plugin: Bet sport Free

Plugin: Add image to Post

Plugin: Administrator Z

Plugin: Peter’s Custom Anti-Spam

Vulnerability: Cross-Site Request Forgery via cas_register_post Function
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Missing Authorization
Patched Version: 2.0.25
Recommended Action: Update to version 2.0.25, or a newer patched version

Plugin: Geoportail Shortcode

Plugin: Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate

Vulnerability: Missing Authorization to Arbitrary Content Deletion
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Custom Product tabs for WooCommerce

Vulnerability: Authenticated (Shop Manager+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LeadBoxer

Plugin: Avada (Fusion) Builder

Vulnerability: Authenticated (Contributor+) Protected Post Disclosure
Patched Version: 3.11.13
Recommended Action: Update to version 3.11.13, or a newer patched version

Plugin: Share Buttons – Social Media

Plugin: Hack-Info

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.18
Recommended Action: Update to version 3.18, or a newer patched version

Plugin: Optio Dentistry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Particle Background

Plugin: Newsletter, Email Marketing, Email Subscriber – Mail Picker

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: SOPA Blackout

Plugin: Zita Site Builder – Elementor, WordPress & Gutenberg Website Builder

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mark New Posts

Vulnerability: Missing Authorization via save_options
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Tracking Code Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Premium Portfolio Features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: WP Fiddle

Plugin: UNIVERSAM

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.59
Recommended Action: Update to version 8.59, or a newer patched version

Plugin: PowerFormBuilder – Contact Form Database Manager for WordPress

Plugin: DirectoryPress – Business Directory And Classified Ad Listing

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.6.17
Recommended Action: Update to version 3.6.17, or a newer patched version

Plugin: Spotlightr

Plugin: Designer – Elementor Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Schema App Structured Data

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Comments On Feed

Plugin: Clients

Plugin: Download Manager

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 3.3.04
Recommended Action: Update to version 3.3.04, or a newer patched version

Plugin: Wp Login with Ajax

Plugin: Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress, Create WooCommerce Upsell, Post-Purchase Upsell & Cross Sell Offers that Boost Sales & Increase Profits with Sales Funnel Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wps_wocuf_pro_yes Shortcode
Patched Version: 3.4.10
Recommended Action: Update to version 3.4.10, or a newer patched version

Plugin: Post Carousel & Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Store Locator for WordPress with Google Maps – LotsOfLocales

Plugin: TSB Occasion Editor

Plugin: vBSSO-lite

Plugin: Woocommerce Blocks – Woolook

Plugin: Smaily for WP

Plugin: LionScripts: Site Maintenance & Noindex Nofollow Plugin

Plugin: DX Dark Site

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: XPD Reduce Image Filesize

Plugin: ECT Product Carousel

Plugin: File Manager Pro – Filester

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: WP Docs

Vulnerability: Authenticated (Subscriber+) Time-Based SQL Injection via ‘dir_id’
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP微信机器人

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Feedpress Generator – External RSS Frontend Customizer

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 5.4.10.1
Recommended Action: Update to version 5.4.10.1, or a newer patched version

Plugin: WordPress Filter

Plugin: Wtyczka SeoPilot dla WP

Plugin: Ebook Store

Vulnerability: Reflected Cross-Site Scripting via ‘step’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Mailster

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.18.0
Recommended Action: Update to version 1.8.18.0, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Plugin: Kundgenerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Invoice Payment for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Plugin: Embed Twine

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Text Color
Patched Version: 9.8.1
Recommended Action: Update to version 9.8.1, or a newer patched version

Plugin: Advanced Blog Post Block

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: Taeggie Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.1.10
Recommended Action: Update to version 0.1.10, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leader

Plugin: Job Board Manager

Plugin: Plezi

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Missing Authorization
Patched Version: 1.64.1
Recommended Action: Update to version 1.64.1, or a newer patched version

Plugin: eTemplates

Plugin: New User Approve

Vulnerability: Missing Authorization
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Advanced Data Table For Elementor

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.1.22
Recommended Action: Update to version 1.1.22, or a newer patched version

Plugin: WP Mega Menu

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page and Post Restriction

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcodes Blocks Creator Ultimate

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gaxx Keywords

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bold Page Builder

Vulnerability: Authenticated (Editor+) Path Traversal
Patched Version: 5.1.6
Recommended Action: Update to version 5.1.6, or a newer patched version

Plugin: Gou Manage My Account Menu – User Roles

Vulnerability: Missing Authorization
Patched Version: 1.0.1.9
Recommended Action: Update to version 1.0.1.9, or a newer patched version

Plugin: Affiliate Program Suite — SliceWP Affiliates

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.1.24
Recommended Action: Update to version 1.1.24, or a newer patched version

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Hurrakify

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 8.0.1
Recommended Action: Update to version 8.0.1, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slope Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version

Plugin: Bootstrap Buttons

Plugin: Admin Customization

Plugin: Feedify – Web Push Notifications

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Radius Blocks – WordPress Gutenberg Blocks

Plugin: Multiple Admin Emails

Plugin: FormFacade – WordPress plugin for Google Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: This is a Subversion repository; use the 'svnadmin' tool to examine

Plugin: Pingmeter Uptime Monitoring

Plugin: Appsplate

Plugin: CK and SyntaxHighlighter

Plugin: CRM WordPress Plugin – RepairBuddy

Vulnerability: Missing Authorization to Account Takeover/Privilege Escalation
Patched Version: 3.8122
Recommended Action: Update to version 3.8122, or a newer patched version

Plugin: WP SHAPES

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Display Future Posts

Plugin: افزونه پیامک ووکامرس Persian WooCommerce SMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version

Plugin: News Ticker for Elementor

Plugin: real.Kit

Plugin: ForumWP – Forum & Discussion Board

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: LaunchPage.app Importer

Plugin: Easy Replace

Plugin: Notibar – Notification Bar for WordPress

Vulnerability: Missing Authorization via ajax_install_plugin
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: phZoom Plugin for WordPress

Plugin: Firebase OTP Authentication

Plugin: AutoWP – AI Content Writer & Rewriter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: FloristPress – Customize your Woo store for your Florist

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Like in Vk.com

Plugin: Print Invoice & Delivery Notes for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Logo Deletion
Patched Version: 5.4.1
Recommended Action: Update to version 5.4.1, or a newer patched version

Plugin: Better WP Login Page

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Vimeography: Vimeo Video Gallery WordPress Plugin

Vulnerability: Sensitive Information Exposure
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: WP Flipkart Importer

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Staggs – Product Configurator Toolkit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WP on AWS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: Simple Notification

Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Wr Age Verification

Plugin: Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login Url

Vulnerability: Missing Authorization to Authenticated (Subscriber+)Privilege Escalation
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Patched Version: 7.8.6
Recommended Action: Update to version 7.8.6, or a newer patched version

Plugin: GEO my WP

Vulnerability: Missing Authorization via get_field_options_ajax
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.

Vulnerability: Unauthenticated Private Content Disclosure
Patched Version: 0.1.3
Recommended Action: Update to version 0.1.3, or a newer patched version

Plugin: LDD Directory Lite

Plugin: CM Answers – Powerful WordPress Forum Plugin

Vulnerability: Missing Authorization
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Simple Booking – Widget

Plugin: Advanced Floating Content

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Terms descriptions

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Media Downloader

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.4.7.5
Recommended Action: Update to version 0.4.7.5, or a newer patched version

Plugin: TicketSource Ticket Shop

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: TAX SERVICE Electronic HDM

Plugin: Frontend Admin by DynamiApps

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.25.2
Recommended Action: Update to version 3.25.2, or a newer patched version

Plugin: XML Multilanguage Sitemap Generator

Plugin: J&T Express Malaysia

Vulnerability: Reflected Cross-Site Scripting via [placeholder]
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Navayan CSV Export

Plugin: Video & Photo Gallery for Ultimate Member

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Lifetime free Drag & Drop Contact Form Builder for WordPress VForm

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: I Plant A Tree

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP Data Access – App, Table, Form and Chart Builder plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.5.23
Recommended Action: Update to version 5.5.23, or a newer patched version

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure via Project Task List REST API
Patched Version: 2.6.16
Recommended Action: Update to version 2.6.16, or a newer patched version

Plugin: Mandrill WP – Email Form Under Post

Plugin: Termin-Kalender

Vulnerability: Missing Authorization to Authenticated (Subscriber+)
Patched Version: 1.00.04
Recommended Action: Update to version 1.00.04, or a newer patched version

Plugin: Amazon Product Price

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Authenticated (Patient+) Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Presenter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: WordPress Post Grid Layouts with Pagination – Sogrid

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Button Block – Get fully customizable & multi-functional buttons

Vulnerability: Authenticated (Contributor+) Post Disclosure via Post Duplication
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: MDC Comment Toolbar

Plugin: Banner System

Plugin: WordPress Simple Shopping Cart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.0.8
Recommended Action: Update to version 5.0.8, or a newer patched version

Plugin: Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart

Plugin: WP Currency Exchange Rates

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Poll, Poll Forms – WordPress Poll plugin by Poll Builder

Plugin: استخراج محصولات ووکامرس برای آیسی

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Import Export For WooCommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Ban-User

Plugin: SeedProd Pro

Plugin: WP Controller

Plugin: Falcon – WordPress Optimizations & Tweaks

Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: WC Price History for Omnibus

Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Advanced Fancybox

Plugin: LaTeX2HTML

Plugin: WordPress HelpDesk & Support Ticket System Plugin – Octrace Support

Plugin: WP Datepicker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Video Share VOD – Turnkey Video Site Builder Script

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.31
Recommended Action: Update to version 2.6.31, or a newer patched version

Plugin: Database Backup and check Tables Automated With Scheduler 2024

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 2.33
Recommended Action: Update to version 2.33, or a newer patched version

Plugin: Fancy Roller Scroller

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Wovax IDX

Plugin: Floating Video Player

Plugin: Spoki – Chat Buttons and WooCommerce Notifications

Plugin: Payment Gateway Per Product for WooCommerce

Plugin: Ui Slider Filter By Price

Plugin: Multi-column Tag Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mctagmap Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mimoos

Plugin: PixProof – Easy Photo Proofing for Photographers

Plugin: WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version

Plugin: AJAX Login and Registration modal popup + inline form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.25
Recommended Action: Update to version 2.25, or a newer patched version

Plugin: KBucket: Your Curated Content in WordPress

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Minterpress

Plugin: Revi.io – Customer & Products Reviews

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: LabelGrid Tools

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.59
Recommended Action: Update to version 1.3.59, or a newer patched version

Plugin: Axeptio – Cookie Banner – GDPR Consent & Compliance with a friendly touch

Plugin: WordPress Post Grid Layouts with Pagination – Sogrid

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Hello Event Widgets For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Contact Form, Survey & Form Builder – MightyForms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.10
Recommended Action: Update to version 1.3.10, or a newer patched version

Plugin: Category of Posts

Plugin: Contests by Rewards Fuel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.66
Recommended Action: Update to version 2.0.66, or a newer patched version

Plugin: addWeather

Plugin: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Vulnerability: Reflected Cross-Site Scripting via a-0-o-search_field_value
Patched Version: 5.1.0
Recommended Action: Update to version 5.1.0, or a newer patched version

Plugin: PKT1 Centro de envios

Plugin: Financial Calculator

Plugin: Onlywire Multi Autosubmitter

Plugin: AppMaps

Plugin: G Web Pro Store Locator

Plugin: FULL – Cliente

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.1.26
Recommended Action: Update to version 3.1.26, or a newer patched version

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Form Submission Disclosure
Patched Version: 2.17.4
Recommended Action: Update to version 2.17.4, or a newer patched version

Plugin: KH Easy User Settings

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Outdooractive Embed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: My IDX Home Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Bitcoin Lightning Publisher for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Missing Authorization
Patched Version: 5.10.13
Recommended Action: Update to version 5.10.13, or a newer patched version

Plugin: Saksh Escrow System

Plugin: SeedProd Pro

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flash News / Post (Responsive)

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: jCarousel for WordPress

Plugin: Wr Age Verification

Plugin: Evernote Sync

Plugin: Caldera SMTP Mailer

Plugin: Accept Authorize.NET Payments Using Contact Form 7

Vulnerability: Unauthenticated Information Exposure
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Projectopia – WordPress Project Management

Vulnerability: Missing Authorization to Privilege Escalation via pto_reset_password()
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: PCRecruiter Extensions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.23
Recommended Action: Update to version 1.4.23, or a newer patched version

Plugin: NACC WordPress Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Loan Comparison

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: WP-NERD Toolkit

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Blaze Online eParcel for WooCommerce

Plugin: Easy Site Importer

Plugin: SMSify

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: GitSync

Plugin: CE21 Suite

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: AIcomments – комментарии и отзывы ChatGPT

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Cryptocurrency Price Widget

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Social Media Sharing

Plugin: Car Dealer (Dealership) and Vehicle sales

Vulnerability: Missing Authorization
Patched Version: 4.48
Recommended Action: Update to version 4.48, or a newer patched version

Plugin: Prodigy Commerce

Plugin: Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CarDealerPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.7.2411.00
Recommended Action: Update to version 6.7.2411.00, or a newer patched version

Plugin: Web Stories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.38.0
Recommended Action: Update to version 1.38.0, or a newer patched version

Plugin: YDS Support Ticket System

Plugin: 畅言评论系统

Plugin: Code Generator Pro

Plugin: CSV to html

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 2.13.5
Recommended Action: Update to version 2.13.5, or a newer patched version

Plugin: Category Post Slider

Plugin: CleverNode Related Content

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Ksher

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: WP Simple Pay Lite Manager

Plugin: Website Toolbox Community

Vulnerability: Reflected Cross-Site Scripting via websitetoolbox_username
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: PlugVersions – Easily rollback to previous versions of your plugins

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation
Patched Version: 0.0.8
Recommended Action: Update to version 0.0.8, or a newer patched version

Plugin: ImmoToolBox Connect

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Reactflow Visitor Recording and Heatmaps

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ICDSoft Reseller Store

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: WP Quick Shop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Export Customers Data

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Simple Page Access Restriction

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 1.0.30
Recommended Action: Update to version 1.0.30, or a newer patched version

Plugin: WooCommerce Basic Ordernumbers

Plugin: Blaze Online eParcel for WooCommerce

Plugin: Advanced What should we write next about

Plugin: Elementor Website Builder – More Than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Typography Settings
Patched Version: 3.25.10
Recommended Action: Update to version 3.25.10, or a newer patched version

Plugin: EduAdmin Booking

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Aphorismus

Plugin: Download Manager

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.03
Recommended Action: Update to version 3.3.03, or a newer patched version

Plugin: 3D Avatar User Profile

Plugin: Device Detector

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Events Addon for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: MagicPost – WordPress文章管理功能增强插件

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wb_share_social Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Broken Link Checker | Finder

Vulnerability: Authenticated (Author+) Blind Server-Side Request Forgery
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: DTC Documents

Plugin: Check Pincode For Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Role Includer

Plugin: NiceJob

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: Full Screen Menu for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Manager

Vulnerability: Improper Authorization to Unauthenticated Download of Password-Protected Files
Patched Version: 3.3.04
Recommended Action: Update to version 3.3.04, or a newer patched version

Plugin: Instant Appointment

Plugin: Visual Recent Posts

Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 241216
Recommended Action: Update to version 241216, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.