Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: PB oEmbed HTML5 Audio – with Cache Support
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Error Log Viewer by BestWebSoft
Vulnerability: Sensitive Information Exposure
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Simple Job Board
Vulnerability: Missing Authorization to Unauthenticated Information Disclosure
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.19
Recommended Action: Update to version 4.10.19, or a newer patched version
Plugin: YARPP – Yet Another Related Posts Plugin
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.30.10
Recommended Action: Update to version 5.30.10, or a newer patched version
Plugin: Sydney Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version
Plugin: DOOFINDER Search and Discovery for WP & WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: System Dashboard
Vulnerability: Missing Authorization to Information Disclosure (sd_php_info)
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: Broken Link Checker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.57
Recommended Action: Update to version 3.3.57, or a newer patched version
Plugin: Wbcom Designs – BuddyPress Activity Social Share
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: postMash – custom post order
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP To Do
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Cwicly
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 1.4.0.3
Recommended Action: Update to version 1.4.0.3, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated(Student+) HTML Injection via Q&A
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Core: WordPress
Vulnerability: Unauthorized Password Reset via Interception
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Sitepact's Contact Form 7 Extension For Klaviyo
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.6.0
Recommended Action: Update to version 5.2.6.0, or a newer patched version
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: 0.1.0.9
Recommended Action: Update to version 0.1.0.9, or a newer patched version
Plugin: MyWaze
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Peach Payments Gateway
Vulnerability: Missing Authorization via peach_core_version_rollback()
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Heureka
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Event Export
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Link Library
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via animated_text_class
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version
Plugin: Backup Bolt
Vulnerability: Sensitive Information Exposure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Coming Soon Maintenance Mode
Vulnerability: Information Exposure
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: WPify Woo Czech
Vulnerability: Missing Authorization
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: Tabs Shortcode and Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version
Plugin: Advanced Social Feeds Widget & Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Change Table Prefix
Vulnerability: Cross-Site Request Forgery via change_prefix_form
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Google Calendar Widget Link
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version
Plugin: Enhanced Text Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: SysBasics Easy Checkout Field Editor, Fees & Discounts
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.5.13
Recommended Action: Update to version 3.5.13, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version
Plugin: Seriously Simple Podcasting
Vulnerability: Unauthenticated Email Disclosure
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: moveto
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ocean Extra
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Parallax Image
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Enjoy Social Feed plugin for WordPress website
Vulnerability: Missing Authorization to Database Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
Vulnerability: Reflected Cross-Site Scripting.
Patched Version: 3.4.2.5
Recommended Action: Update to version 3.4.2.5, or a newer patched version
Plugin: PeproDev Ultimate Invoice
Vulnerability: Unauthenticated Sensitive Information Exposure via init_plugin
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: Widgets Controller
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via onClick Events
Patched Version: 4.10.19
Recommended Action: Update to version 4.10.19, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version
Plugin: TinyMCE and TinyMCE Advanced Professsional Formats and Styles
Vulnerability: Cross-Site Request Forgery via bb_taps_backend_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Activity Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Buttons Widget
Patched Version: 2.7.16
Recommended Action: Update to version 2.7.16, or a newer patched version
Plugin: WP Maintenance
Vulnerability: Information Exposure
Patched Version: 6.1.7
Recommended Action: Update to version 6.1.7, or a newer patched version
Plugin: Account Manager for WooCommerce
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Editor
Vulnerability: Sensitive Information Exposure via log file
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Ultimate Reviews
Vulnerability: Unauthenticated stored Cross-Site Scripting via reviews
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via [edit-profile-text-box] shortcode
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version
Plugin: Fancy Product Designer
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: moveto
Vulnerability: Missing Authorization to Unauthenticated Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages
Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms
Vulnerability: Missing Authorization to Arbitrary Plugin Deactivation
Patched Version: 2.3.42
Recommended Action: Update to version 2.3.42, or a newer patched version
Plugin: CatalogX – Product Catalog Mode For WooCommerce
Vulnerability: Cross-Site Request Forgery via REST API
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: Featured Image from URL (FIFU)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url
Patched Version: 4.6.3
Recommended Action: Update to version 4.6.3, or a newer patched version
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Authenticated (Custom) Stored Cross-Site Scripting
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 21.3.1
Recommended Action: Update to version 21.3.1, or a newer patched version
Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version
Plugin: Plugin Groups
Vulnerability: Missing Authorization to Unauthenticated Denial of Service
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Simple Website Banner
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.0.0
Recommended Action: Update to version 1.8.0.0, or a newer patched version
Plugin: TNC PDF viewer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.9.0
Recommended Action: Update to version 2.9.0, or a newer patched version
Plugin: 404 Solution
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.35.8
Recommended Action: Update to version 2.35.8, or a newer patched version
Plugin: Simple Share Buttons Adder
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via CSS Settings
Patched Version: 8.4.12
Recommended Action: Update to version 8.4.12, or a newer patched version
Plugin: File Manager Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version
Plugin: FormFacade – WordPress plugin for Google Forms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: My Private Site
Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Database Reset
Vulnerability: Cross-Site Request Forgery to WP Reset Plugin Installation
Patched Version: 3.23
Recommended Action: Update to version 3.23, or a newer patched version
Plugin: Custom Order Statuses for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category, and more
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Missing Authorization to reCaptcha Key Modification
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Unauthenticated Sensitive Information Disclosure via Log file
Patched Version: 6.2.7.1
Recommended Action: Update to version 6.2.7.1, or a newer patched version
Plugin: Maspik – Advanced Spam Protection
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 0.10.7
Recommended Action: Update to version 0.10.7, or a newer patched version
Plugin: Oliver POS – A WooCommerce Point of Sale (POS)
Vulnerability: Missing Authorization
Patched Version: 2.4.2.1
Recommended Action: Update to version 2.4.2.1, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Sensitive Information Exposure via user uploads
Patched Version: 22.8
Recommended Action: Update to version 22.8, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Authenticated (Contributor+) Information Disclosure via Shortcode
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version
Plugin: WordPress User Registration Forms by Formidable Forms
Vulnerability: Authenticated (Contributor+) Arbitrary User Password Reset To Account Takeover
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version
Plugin: Page scroll to id
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Enjoy Social Feed plugin for WordPress website
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Microsoft Clarity
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version
Plugin: Scalable Vector Graphics (SVG)
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: moveto
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: No subtitle
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Attendee List Retrieval
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: WP Media folder
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Plugin settings change
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: Easy Forms for Mailchimp
Vulnerability: Sensitive Information Exposure via logfile
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: IP Address Spoofing
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Reflected (DOM-Based) Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version
Plugin: WooCommerce Google Sheet Connector
Vulnerability: Missing Authorization
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version
Plugin: Innovs HR – Complete Human Resource Management System for Your Business
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Custom Field Template
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via $search_label
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: moveto
Vulnerability: Unauthenticated Directory Traversal to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms
Vulnerability: Missing Authorization
Patched Version: 2.3.42
Recommended Action: Update to version 2.3.42, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version
Plugin: Piraeus Bank WooCommerce Payment Gateway
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Action Network
Vulnerability: Reflected Cross-Site Scripting via ‘search’
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: WP Setup Wizard
Vulnerability: Authenticated (Subscriber+) Full Database Download
Patched Version: 1.0.8.2
Recommended Action: Update to version 1.0.8.2, or a newer patched version
Plugin: WP Media folder
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.7.3
Recommended Action: Update to version 5.7.3, or a newer patched version
Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Vulnerability: Missing Authorization
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.