Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Sensei LMS – Online Courses, Quizzes, & Learning
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.18.0
Recommended Action: Update to version 4.18.0, or a newer patched version
Plugin: Clockwork SMS Notfications
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Forms for Mailchimp
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEOPress – On-site SEO
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version
Plugin: Backup Migration
Vulnerability: Unauthenticated Path Traversal to Arbitrary File Deletion
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Appointment Booking and Scheduling Calendar Plugin – Webba Booking
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: JSM file_get_contents() Shortcode
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via Shortcode
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Block IPs for Gravity Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Ultimate Addons for Beaver Builder
Vulnerability: Authenticated(Contributor+) Privilege Escalation
Patched Version: 1.35.15
Recommended Action: Update to version 1.35.15, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Widget
Patched Version: 1.8.19
Recommended Action: Update to version 1.8.19, or a newer patched version
Plugin: HTML Forms – Simple WordPress Forms Plugin
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.3.30
Recommended Action: Update to version 1.3.30, or a newer patched version
Plugin: WP Crowdfunding
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Rise Blocks – A Complete Gutenberg Page Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: Colibri Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.240
Recommended Action: Update to version 1.0.240, or a newer patched version
Plugin: Media File Renamer: Rename for better SEO (AI-Powered)
Vulnerability: Authenticated(Administrator+) Remote Code Execution
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version
Plugin: Keap Official Opt-in Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.86
Recommended Action: Update to version 1.0.86, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Missing Authorization
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Missing Authorization via API
Patched Version: 2.12.6
Recommended Action: Update to version 2.12.6, or a newer patched version
Plugin: Ultimate Addons for Beaver Builder
Vulnerability: Authenticated(Contributor+) Directory Traversal to Arbitrary File Download
Patched Version: 1.35.14
Recommended Action: Update to version 1.35.14, or a newer patched version
Plugin: New User Approve
Vulnerability: Cross-Site Request Forgery via admin_notices
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4.4
Recommended Action: Update to version 1.3.4.4, or a newer patched version
Plugin: E2Pdf – Export Pdf Tool for WordPress
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.20.24
Recommended Action: Update to version 1.20.24, or a newer patched version
Plugin: WP-Mobile-BankID-Integration
Vulnerability: PHP Object Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: 404 Solution
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.35.0
Recommended Action: Update to version 2.35.0, or a newer patched version
Plugin: Mail logging – WP Mail Catcher
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.2.1
Recommended Action: Update to version 2.7.2.1, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Missing Authorization
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Zoho Forms – Drag & Drop Form Builder for Websites – Contact Forms, Payment Forms, Order Forms & More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.9.16
Recommended Action: Update to version 6.9.16, or a newer patched version
Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Vulnerability: Missing Authorization
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization via mvx_save_dashpages
Patched Version: 4.0.24
Recommended Action: Update to version 4.0.24, or a newer patched version
Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
Vulnerability: Missing Authorization
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version
Plugin: HashBar – WordPress Notification Bar
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: WP Chat App
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: uncode-core
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version
Plugin: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.6.6.1
Recommended Action: Update to version 1.6.6.1, or a newer patched version
Plugin: Product Filter by WBW
Vulnerability: Missing Authorization via getListForTbl
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: WP Remote Site Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin
Vulnerability: Unauthenticated SQL Injection via email and trackingid
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Impreza – WordPress Website and WooCommerce Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.18
Recommended Action: Update to version 8.18, or a newer patched version
Plugin: Pre* Party Resource Hints
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.8.19
Recommended Action: Update to version 1.8.19, or a newer patched version
Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.18
Recommended Action: Update to version 1.6.18, or a newer patched version
Plugin: Login Lockdown & Protection
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.07
Recommended Action: Update to version 2.07, or a newer patched version
Plugin: MF Gig Calendar
Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Crowdfunding
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version
Plugin: Sticky Chat Widget: Chat Icons, Contact form, Email, SMS, Call Button, Click to Chat, Social Chat Widget, Sticky Chat Buttons
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: DeMomentSomTres WordPress Export Posts With Images
Vulnerability: Missing Authorization to Blog Data Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.4.1.7
Recommended Action: Update to version 1.4.1.7, or a newer patched version
Plugin: Store Locator WordPress
Vulnerability: Authenticated(Administrator+) Directory Traversal to Arbitrary File Deletion
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version
Plugin: Squirrly SEO – Advanced Pack
Vulnerability: Advanced Pack <= 2.3.8
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Limit Login Attempts Reloaded
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.25.27
Recommended Action: Update to version 2.25.27, or a newer patched version
Plugin: Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar
Vulnerability: Authenticated(Contributor+) SQL Injection via Shortcode
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: WP Review Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 13.0
Recommended Action: Update to version 13.0, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 5.2.4.6
Recommended Action: Update to version 5.2.4.6, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.10.2
Recommended Action: Update to version 4.10.2, or a newer patched version
Plugin: Add Any Extension to Pages
Vulnerability: Cross-Site Request Forgery via aaetp_options_page
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authenticated(Editor+) SQL Injection
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Missing Authorization via sirv_disconnect
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Missing Authorization via submit
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
Vulnerability: Cross-Site Request Forgery via antihacker_ajax_scan
Patched Version: 4.35
Recommended Action: Update to version 4.35, or a newer patched version
Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress
Vulnerability: Missing Authorization
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: Estatik Real Estate Plugin
Vulnerability: Missing Authorization to Limited Arbitrary Options Update
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Backup Migration
Vulnerability: 1.3.9
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version
Plugin: WordPress.com Editing Toolkit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.79150
Recommended Action: Update to version 3.79150, or a newer patched version
Plugin: BuddyPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 11.3.2
Recommended Action: Update to version 11.3.2, or a newer patched version
Plugin: uncode-core
Vulnerability: Privilege Escalation
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version
Plugin: Back Button Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.14.4
Recommended Action: Update to version 2.14.4, or a newer patched version
Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: AFI – The Easiest Integration Plugin
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.76.0
Recommended Action: Update to version 1.76.0, or a newer patched version
Plugin: Google Photos Gallery with Shortcodes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Authenticated(Subscriber+) Privilege Escalation
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version
Plugin: ZeroBounce Email Verification & Validation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.12
Recommended Action: Update to version 1.0.12, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!
Vulnerability: Unauthorized Form Submission via Disabled Forms
Patched Version: 2.0.3.1
Recommended Action: Update to version 2.0.3.1, or a newer patched version
Plugin: Backup Migration
Vulnerability: Authenticated (Admin+) OS Command Injection via url
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Estatik Real Estate Plugin
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: SureFeedback Client Site
Vulnerability: Missing Authorization via ph_child_ajax_notice_handler
Patched Version: 1.0.35
Recommended Action: Update to version 1.0.35, or a newer patched version
Plugin: Booking Calendar | Appointment Booking | Bookit
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: uncode-core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Missing Authorization
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.0.73
Recommended Action: Update to version 1.0.73, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version
Plugin: Ultimate Addons for Elementor
Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 1.36.21
Recommended Action: Update to version 1.36.21, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Incorrect Authorization Checks
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Ultimate Addons for WPBakery
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.19.18
Recommended Action: Update to version 3.19.18, or a newer patched version
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: 2.3.9
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: SysBasics Customize My Account for WooCommerce
Vulnerability: Cross-Site Request Forgery via restore_my_account_tabs
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
