Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Fastly
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.98
Recommended Action: Update to version 0.98, or a newer patched version
Plugin: Passster – Password Protect Pages and Content
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 4.2.6.3
Recommended Action: Update to version 4.2.6.3, or a newer patched version
Plugin: Woocommerce Vietnam Checkout
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Cross-Site Request Forgery to Settings Update in enableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.15
Recommended Action: Update to version 2.7.15, or a newer patched version
Plugin: Resend Welcome Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Cross-Site Request Forgery to IP Blocking
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version
Plugin: PB oEmbed HTML5 Audio – with Cache Support
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NextMove Lite – Thank You Page for WooCommerce
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Plugin Activation
Patched Version: 2.18.0
Recommended Action: Update to version 2.18.0, or a newer patched version
Core: WordPress
Vulnerability: ca-bundle.crt contains expired certificate DST Root CA X3
Patched Version: 5.2.13
Recommended Action: Update to one of the following versions, or a newer patched version: 5.2.13, 5.3.10, 5.4.8, 5.5.7, 5.6.6, 5.7.4, 5.8.2
Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Vulnerability: Missing Authorization to Unauthenticated Events Export
Patched Version: 3.3.51
Recommended Action: Update to version 3.3.51, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 7.0.2
Recommended Action: Update to version 7.0.2, or a newer patched version
Plugin: Coupon Referral Program
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: Missing Authorization via creating_pricing_table_page
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version
Plugin: Post View Count
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DOOFINDER Search and Discovery for WP & WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: VK Poster Group
Vulnerability: Reflected Cross-Site Scripting via vkp_repost
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageRecycle pdf & image compression
Vulnerability: Missing Authorization to Settings Update in enableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Vulnerability: Missing Authorization to Arbitrary Page Creation and Publication
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Basic Log Viewer
Vulnerability: Cross-Site Request Forgery via wpst_lw_viewer
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portfolio Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.05
Recommended Action: Update to version 2.05, or a newer patched version
Plugin: Broken Link Checker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: The Hacker's Diet
Vulnerability: SQL Injection
Patched Version: 0.9.7b
Recommended Action: Update to version 0.9.7b, or a newer patched version
Plugin: Backuply – Backup, Restore, Migrate and Clone
Vulnerability: Backup, Restore, Migrate and Clone <= 1.2.6
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: EventON
Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.5.8 (Pro) & <= 2.2.7 (Free)
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: Product Labels For Woocommerce (Sale Badges)
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.2
Recommended Action: Update to version 3.10.2, or a newer patched version
Plugin: Gallery Manager
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version
Plugin: Events Tickets Plus
Vulnerability: Missing Authorization to Information Exposure
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: Polls CP
Vulnerability: Unauthenticated Poll Limit Bypass
Patched Version: 1.0.72
Recommended Action: Update to version 1.0.72, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Missing Authorization to Settings Import
Patched Version: 4.0.12
Recommended Action: Update to version 4.0.12, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Cross-Site Request Forgery to Plugin Data Removal in reinitialize
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: Matomo Analytics – Ethical Stats. Powerful Insights.
Vulnerability: Reflected Cross-Site Scripting via idsite
Patched Version: 5.0.1
Recommended Action: Update to version 5.0.1, or a newer patched version
Plugin: MyWaze
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: secure-files
Vulnerability: Directory Traversal
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: InfiniteWP Client
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.12.3.1
Recommended Action: Update to version 1.12.3.1, or a newer patched version
Plugin: SKT Page Builder
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Content Injection
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: Comments Like Dislike
Vulnerability: IP Spoofing
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Apollo13 Framework Extensions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Login Lockdown & Protection
Vulnerability: Missing Authorization
Patched Version: 2.09
Recommended Action: Update to version 2.09, or a newer patched version
Plugin: WP-Stateless – Google Cloud Storage
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Missing Authorization to Plugin Data Removal in reinitialize
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery via remove_from_wishlist
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version
Plugin: Content Cards
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multi Step Form
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.19
Recommended Action: Update to version 1.7.19, or a newer patched version
Plugin: PPWP – Password Protect Pages
Vulnerability: Protection Mechanism Bypass
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: Internal Link Juicer: SEO Auto Linker for WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.23.5
Recommended Action: Update to version 2.23.5, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.9
Recommended Action: Update to version 5.9.9, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via animated_text_class
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt
Patched Version: 3.19.0
Recommended Action: Update to version 3.19.0, or a newer patched version
Plugin: WP-Mobile-BankID-Integration
Vulnerability: PHP Object Injection
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization
Patched Version: 3.19.1
Recommended Action: Update to version 3.19.1, or a newer patched version
Plugin: Post Pay Counter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.790
Recommended Action: Update to version 2.790, or a newer patched version
Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Vulnerability: Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: moveto
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: woo-popup
Vulnerability: Reflecte Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Editorial Calendar
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Pexels: Free Stock Photos
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Broken Link Checker
Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version
Plugin: WordPress Landing Pages
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: Shariff Wrapper
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version
Plugin: Events Tickets Plus
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Cross-Site Request Forgery to Settings Update in stopOptimizeAll
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: Quiz Maker
Vulnerability: Missing Authorization to Unauthenticated Quiz Data Retrieval
Patched Version: 6.5.2.5
Recommended Action: Update to version 6.5.2.5, or a newer patched version
Plugin: SMTP Mail
Vulnerability: Cross Site Request Forgery
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version
Plugin: Royal PrettyPhoto
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: TinyMCE and TinyMCE Advanced Professsional Formats and Styles
Vulnerability: Cross-Site Request Forgery via bb_taps_backend_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Happy Addons for Elementor
Vulnerability: Server Side Request Forgery
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version
Plugin: WP Editor
Vulnerability: Sensitive Information Exposure via log file
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Core: WordPress
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Navigation Attributes
Patched Version: 5.9.8
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2
Plugin: Themify Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Incorrect Authorization via bdt_duplicate_as_draft
Patched Version: 3.11.11
Recommended Action: Update to version 3.11.11, or a newer patched version
Plugin: Ultimate Reviews
Vulnerability: Unauthenticated stored Cross-Site Scripting via reviews
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: Medialist
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: WP Media folder
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Title Modification
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: Geo Controller
Vulnerability: Unauthenticated PHP Object Injection via shortcode REST API Route
Patched Version: 8.6.5
Recommended Action: Update to version 8.6.5, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.3.3
Recommended Action: Update to version 8.3.3, or a newer patched version
Plugin: Wonder Slider Lite
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version
Plugin: moveto
Vulnerability: Missing Authorization to Unauthenticated Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Booking Calendar
Vulnerability: Unauthenticated SQL Injection
Patched Version: 9.9.1
Recommended Action: Update to version 9.9.1, or a newer patched version
Plugin: AI Popup
Vulnerability: Authenticated (Admin+) Directory Traversal to Limited Local File Inclusion
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: PJ News Ticker
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version
Plugin: Email Encoder – Protect Email Addresses and Phone Numbers
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Load More Anything
Vulnerability: Missing Authorization to Plugin Settings Modification
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Quiz Maker
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification
Patched Version: 6.5.2.5
Recommended Action: Update to version 6.5.2.5, or a newer patched version
Plugin: WordPress Exit Strategy
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.59
Recommended Action: Update to version 1.59, or a newer patched version
Plugin: Download Attachments
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version
Plugin: Subscribe to Comments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: 12 Step Meeting List
Vulnerability: Missing Authorization
Patched Version: 3.14.29
Recommended Action: Update to version 3.14.29, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version
Plugin: TNC PDF viewer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version
Plugin: Media Downloader
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.993
Recommended Action: Update to version 0.1.993, or a newer patched version
Plugin: Taxonomy Switcher
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Missing Authorization to Settings Update in optimizeAllOn
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: PlusCaptcha
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.15.5
Recommended Action: Update to version 2.15.5, or a newer patched version
Plugin: Starbox – the Author Box for Humans
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: WP-CFM
Vulnerability: Cross-Site Request Forgery via multiple AJAX functions
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Core: WordPress
Vulnerability: Insecure Deserialization
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version
Plugin: Payment Forms for Paystack
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting via ‘link_price’ and ‘link_tags’
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery via remove_from_compare
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version
Plugin: Qtranslate Slug
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version
Plugin: Multi Step Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.17
Recommended Action: Update to version 1.7.17, or a newer patched version
Plugin: Portugal CTT Tracking for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Missing Authorization to Unauthenticated Data Export
Patched Version: 4.0.12
Recommended Action: Update to version 4.0.12, or a newer patched version
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.3
Recommended Action: Update to version 1.58.3, or a newer patched version
Plugin: Canto
Vulnerability: Remote File Inclusion to Code Execution
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Missing Authorization to Unauthenticated Settings Change
Patched Version: 7.8.5
Recommended Action: Update to version 7.8.5, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Authenticated(Subscriber+) PHP Object Injection
Patched Version: 3.05.5
Recommended Action: Update to version 3.05.5, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Events
Patched Version: 3.4.24
Recommended Action: Update to version 3.4.24, or a newer patched version
Plugin: Easy2Map Photos
Vulnerability: SQL Injection
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Debug Bar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.1
Recommended Action: Update to version 0.8.1, or a newer patched version
Plugin: Before After Image Slider WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.9
Recommended Action: Update to version 5.9.9, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery via add_to_compare
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Missing Authorization to Authenticated (Subscriber+) SQL Injecton
Patched Version: 9.2.0
Recommended Action: Update to version 9.2.0, or a newer patched version
Plugin: Maspik – Advanced Spam Protection
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 0.10.7
Recommended Action: Update to version 0.10.7, or a newer patched version
Plugin: Simple Googlebot Visit
Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Malware Scanner
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery via add_to_wishlist
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Cross-Site Request Forgery to Settings Update in disableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: Newsletters
Vulnerability: Authenticated (Admin+) Command Injection
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: Honeypot for WP Comment
Vulnerability: Directory Traversal to Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 Connector
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting in Custom HTML Block
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Sensitive Information Exposure via user uploads
Patched Version: 22.8
Recommended Action: Update to version 22.8, or a newer patched version
Plugin: WangGuard
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Missing Authorization via wpas_get_users()
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.1.7
Recommended Action: Update to version 7.1.7, or a newer patched version
Plugin: Honeypot for WP Comment
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Insert PHP Code Snippet
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: WP Contact Form
Vulnerability: Cross-Site Request Forgery via wpcf_adminpage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageRecycle pdf & image compression
Vulnerability: Cross-Site Request Forgery to Settings Update in optimizeAllOn
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Missing Authorization to Settings Update in disableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: Missing Authorization via pms_stripe_connect_handle_authorization_return
Patched Version: 2.11.2
Recommended Action: Update to version 2.11.2, or a newer patched version
Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: moveto
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.24
Recommended Action: Update to version 3.4.24, or a newer patched version
Plugin: Ultimate Posts Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Missing Authorization via wpr_update_form_action_meta
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.2
Recommended Action: Update to version 3.10.2, or a newer patched version
Plugin: Mark User as Spammer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version
Plugin: WP Media folder
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Plugin settings change
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: Simple Page Access Restriction
Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Unauthenticated Sensitive Information Exposure via Invoice
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Easy Forms for Mailchimp
Vulnerability: Sensitive Information Exposure via logfile
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery via wpr_update_form_action_meta
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version
Plugin: All 404 Pages Redirect to Homepage
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Seraphinite Post .DOCX Source
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.16.7
Recommended Action: Update to version 2.16.7, or a newer patched version
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: IP Address Spoofing
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: A Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: simple-download-button-shortcode
Vulnerability: Information Disclosure via Arbitrary File Downloads
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Missing Authorization via editor_html()
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Cross-Site Request Forgery
Patched Version: 21.2.9
Recommended Action: Update to version 21.2.9, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Raw Content
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version
Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.82
Recommended Action: Update to version 3.82, or a newer patched version
Plugin: BuddyStream
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Magee Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Buttons Shortcode and Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: moveto
Vulnerability: Unauthenticated Directory Traversal to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Polls CP
Vulnerability: Authenticated SQL Injection
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Podlove Subscribe button
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version
Plugin: HD FLV PLayer
Vulnerability: Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Polls CP
Vulnerability: Unauthenticated Content Injection
Patched Version: 1.0.72
Recommended Action: Update to version 1.0.72, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion
Patched Version: 5.9.9
Recommended Action: Update to version 5.9.9, or a newer patched version
Plugin: ImageRecycle pdf & image compression
Vulnerability: Missing Authorization to Settings Update in stopOptimizeAll
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version
Plugin: 404Like
Vulnerability: SQL Injection
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Authenticated (Contributor+) User Meta Disclosure
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version
Plugin: Super Forms – Drag & Drop Form Builder
Vulnerability: Drag & Drop Form Builder WordPress <= 6.0.3
Patched Version: 6.0.4
Recommended Action: Update to version 6.0.4, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery
Patched Version: 5.9.9
Recommended Action: Update to version 5.9.9, or a newer patched version
Plugin: JetBackup – WP Backup, Migrate & Restore
Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 2.0.9.9
Recommended Action: Update to version 2.0.9.9, or a newer patched version
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.4
Recommended Action: Update to version 1.58.4, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
