Watch Out Wednesday – February 26, 2025

Home » Watch Out Wednesday – February 26, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated (Admin+) Arbitrary File Upload via wpvivid_upload_file
Patched Version: 0.9.113
Recommended Action: Update to version 0.9.113, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better Find and Replace

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: BuddyPress Groups Extras

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Powerful Auto Chat

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: URL Shortener | Conversion Tracking | AB Testing | WooCommerce

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Coaching Staffs

Plugin: Catalog Importer, Scraper & Crawler

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nias course | دوره ساز نیاس

Plugin: LTL Freight Quotes – GlobalTranz Edition

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: 2.3.13
Recommended Action: Update to version 2.3.13, or a newer patched version

Plugin: Zigaform – Price Calculator & Cost Estimation Form Builder Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.4.8
Recommended Action: Update to version 7.4.8, or a newer patched version

Plugin: Uix Page Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Radio Buttons and Swatches for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.21
Recommended Action: Update to version 1.1.21, or a newer patched version

Plugin: Autoship Cloud for WooCommerce Subscription Products

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Hide Login+

Plugin: WP Media Category Management

Vulnerability: 2.3.3
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Nextend Social Login Pro

Vulnerability: Authentication Bypass via WordPress.com OAuth provider
Patched Version: 3.1.15
Recommended Action: Update to version 3.1.15, or a newer patched version

Plugin: Justified Image Grid – Premium WordPress Gallery

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: WordPress Additional Logins

Plugin: Notifikácie.sk

Plugin: Post Meta

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Edwiser Bridge – WordPress Moodle LMS Integration

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Smart Maintenance Mode

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CodeBard Help Desk

Plugin: NHR Options Table Manager

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Korea for WooCommerce

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: Vitepos – Point of sale (POS) plugin for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: .TUBE Video Curator

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Import Data From File
Patched Version: 3.11.9
Recommended Action: Update to version 3.11.9, or a newer patched version

Plugin: IdeaPush

Vulnerability: Missing Authorization
Patched Version: 8.73
Recommended Action: Update to version 8.73, or a newer patched version

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Missing Authorization to Unauthenticated Price, Date, and Note Updates
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress-to-candidate for Salesforce CRM

Plugin: blu Logistics

Plugin: Content Blocks (Custom Post Widget)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version

Plugin: Kv Compose Email From Dashboard

Plugin: Live Dashboard

Plugin: YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

Vulnerability: 2.6.2
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: Barcode Generator for WooCommerce – Show barcodes on products, orders, invoices and other pages

Vulnerability: Authenticated (Subscriber+) Sensitive Information Disclosure
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: LTL Freight Quotes – TForce Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Cookie Notice Bar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CloudFlare(R) Cache Purge

Plugin: Contact Form With Shortcode

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.38.3
Recommended Action: Update to version 1.38.3, or a newer patched version

Plugin: WordPress Portfolio Builder – Portfolio Gallery

Vulnerability: Missing Authorization to Unauthenticated Portfolio Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YouTube Playlists with Schema

Plugin: Custom WP Store Locator

Vulnerability: Reflected Cross-Site SCripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Lenix Leads Collector

Vulnerability: Unauthenticated Stored Cross-Site Scripting via URL Form Field
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Music Store – WordPress eCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: No subtitle
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Pollin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP OpenSearch

Plugin: LTL Freight Quotes – Purolator Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: User Messages

Plugin: WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.93
Recommended Action: Update to version 2.2.93, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Unauthenticated Stored Cross-Site Scripting via IP Parameter
Patched Version: 10.44
Recommended Action: Update to version 10.44, or a newer patched version

Plugin: Import Excel to Gravity Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.18.1
Recommended Action: Update to version 1.18.1, or a newer patched version

Plugin: Coronavirus (COVID-19) Outbreak Data Widgets

Plugin: Real Estate Manager – Property Listing and Agent Management

Vulnerability: CAPTCHA Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ADFO – Custom data in admin dashboard

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Best WordPress Shortcode Plugin in 2025 – AIO Shortcodes

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WP-NOTCAPTCHA

Plugin: WPO365 | MICROSOFT 365 GRAPH MAILER

Vulnerability: Open Redirect via ‘redirect_to’ Parameter
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: LTL Freight Quotes – Old Dominion Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.2.11
Recommended Action: Update to version 4.2.11, or a newer patched version

Plugin: WP Finance

Plugin: GD Mail Queue

Vulnerability: No subtitle
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: WP Mailster

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

Vulnerability: Missing Authorization
Patched Version: 20.8.2
Recommended Action: Update to version 20.8.2, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Unauthenticated Information Exposure via get_megamenu_content Function
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Social Login

Vulnerability: Authentication Bypass via Disqus OAuth provider
Patched Version: 5.10.0
Recommended Action: Update to version 5.10.0, or a newer patched version

Plugin: TCBD Tooltip

Plugin: Tracking Code Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: PeproDev Ultimate Invoice

Vulnerability: Insecure Direct Object Reference to Unauthenticated Order Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Yay! Forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Pie Register – Social Sites Login (Add on)

Vulnerability: Authentication Bypass via WordPress.com OAuth provider
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Awesome Responsive Photo Gallery – Image & Video Lightbox Gallery

Vulnerability: Missing Authorization
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Mailster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.16.0
Recommended Action: Update to version 1.8.16.0, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.0.17
Recommended Action: Update to version 5.0.17, or a newer patched version

Plugin: PlainInventory – Inventory Management Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Pollin

Plugin: A1POST.BG Shipping for WooCommerce

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Angular Contact Form

Plugin: WP tarteaucitron.js Self Hosted

Vulnerability: Running a Vulnerable Dependency
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.18.10
Recommended Action: Update to version 6.18.10, or a newer patched version

Plugin: Education Addon for Elementor

Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference via naedu_elementor_template Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.92.1
Recommended Action: Update to version 3.92.1, or a newer patched version

Plugin: Head, Footer and Post Injections

Vulnerability: Authenticated (Administrator+) PHP Code Injection in Multisite Environments
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Rife Elementor Extensions & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: EMI Calculator

Vulnerability: Missing Authorization to Unauthenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Drivr Lite – Google Drive Plugin

Plugin: SVG Support

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Cross-Site Request Forgery in wfu_file_details
Patched Version: 4.25.3
Recommended Action: Update to version 4.25.3, or a newer patched version

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simplebooklet PDF Viewer and Embedder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Mailster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.18.0
Recommended Action: Update to version 1.8.18.0, or a newer patched version

Plugin: Shipping for Nova Poshta

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.19.7
Recommended Action: Update to version 1.19.7, or a newer patched version

Plugin: WPUpper Share Buttons

Vulnerability: Cross-Site Request Forgery to Custom CSS Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cosmic Blocks (40+) Content Editor Blocks Collection

Plugin: Loginizer Security

Vulnerability: Authentication Bypass via WordPress.com OAuth provider
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: ravpage

Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Legoeso PDF Manager

Vulnerability: Authenticated (Author+) SQL Injection via checkedVals Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Disable Auto Updates

Vulnerability: Cross-Site Request Forgery to Auto-update Disable
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Infility Global

Vulnerability: Reflected Cross-Site Scripting via set_type Parameter
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Ultimate Classified Listings

Vulnerability: Cross-Site Request Forgery to Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ProfilePress Pro

Vulnerability: Pro <= 4.11.1
Patched Version: 4.11.2
Recommended Action: Update to version 4.11.2, or a newer patched version

Plugin: Easy MLS Listings Import

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Tidy.ro

Plugin: Unlimited Elements For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Transparent Split Hero Widget
Patched Version: 1.5.141
Recommended Action: Update to version 1.5.141, or a newer patched version

Plugin: Cleanup – Directory Listing & Classifieds WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Show Me The Cookies

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Passwordless WP – Login with your glance or fingerprint

Plugin: picu – Online Photo Proofing Gallery

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Yawave

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Heateor Social Login WordPress

Vulnerability: Authentication Bypass via Disqus OAuth provider
Patched Version: 1.1.36
Recommended Action: Update to version 1.1.36, or a newer patched version

Plugin: Gumlet Video

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.7.1008
Recommended Action: Update to version 1.7.1008, or a newer patched version

Plugin: WP-Appbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode
Patched Version: 4.5.5
Recommended Action: Update to version 4.5.5, or a newer patched version

Plugin: Actionwear products sync

Vulnerability: Unauthenticated Full Patch Disclosure
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Data Dash

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Unauthenticated Paid Order Creation
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: WooCommerce – Social Login

Vulnerability: WordPress / WooCommerce Plugin <= 2.7.7
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Contact Form 7 – Paystack Add-on

Plugin: WP Multistore Locator — WP Store Locator Plugin: Effortless Integration With Snazzy Maps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Lexicata

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Sensitive Information Exposure via Log Files
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Loops

Plugin: WPExperts Square For GiveWP

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Raptive Ads

Vulnerability: Missing Authorization to Unauthenticated Data/Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smartarget – Get 40% more sales, improve user engagement with 25+ free apps.

Plugin: Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

Vulnerability: Missing Authorization
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: LTL Freight Quotes – GlobalTranz Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Awesome WordPress Timeline Plugin

Plugin: Easypromos Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: LTL Freight Quotes – SEFL Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: WPLingo – Forum Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: WP Foodbakery

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Digihood HTML Sitemap

Vulnerability: Reflected Cross-Site Scripting via ‘channel’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bulk Me Now!

Vulnerability: Cross-Site Request Forgery to Message Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better WishList API

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Paytm Payment Donation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.1
Recommended Action: Update to version 4.9.1, or a newer patched version

Plugin: Easy Bet

Plugin: C9 Admin Dashboard

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Website Builder – More Than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.27.5
Recommended Action: Update to version 3.27.5, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version

Plugin: WordPress 淘宝客插件

Plugin: Team Members

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: EZPZ SAML SP Single Sign On (SSO)

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Easy Code Placement

Plugin: DPortfolio

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: OPSI Israel Domestic Shipments

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pretty Url

Plugin: DeBounce Email Validator

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Disqus Popular Posts

Plugin: Demo User DZS – Showcase your admin safely

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Unauthenticated SQL Injection via Event Status Parameter
Patched Version: 6.6.4
Recommended Action: Update to version 6.6.4, or a newer patched version

Plugin: WP Wiki Tooltip

Plugin: PORTONE 우커머스 결제

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Unlimited Elements For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.5.136
Recommended Action: Update to version 1.5.136, or a newer patched version

Plugin: Custom Post Type Date Archives

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Shortcode Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Optimate Ads – Advance Ad Inserter AdSense & Ad Manager

Plugin: UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included

Plugin: Add custom content after post

Plugin: CanadaHelps Embedded Donation Form

Plugin: LTL Freight Quotes – ABF Freight Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: Accessibility Suite by Ability, Inc

Plugin: Tour Master – Tour Booking, Travel, Hotel

Vulnerability: Tour Booking, Travel, Hotel <= 5.3.4
Patched Version: 5.3.5
Recommended Action: Update to version 5.3.5, or a newer patched version

Plugin: WPMobile.App

Vulnerability: Open Redirect via ‘redirect’ Parameter
Patched Version: 11.57
Recommended Action: Update to version 11.57, or a newer patched version

Plugin: Maps for WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: RomanCart On WordPress

Plugin: WC Wallet

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.20
Recommended Action: Update to version 4.15.20, or a newer patched version

Plugin: One to one user Chat by WPGuppy

Vulnerability: Authorization Bypass
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Wp Social Login and Register Social Counter

Vulnerability: Authentication Bypass via WordPress.com OAuth provider
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Zalomení

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.11.1
Recommended Action: Update to version 9.11.1, or a newer patched version

Plugin: Ksher

Vulnerability: Missing Authorization
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Scroll Top – WordPress Scroll to Top plugin

Plugin: VSTEMPLATE Creator

Plugin: Recip.ly Plugin

Plugin: Prime Addons for Elementor

Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin Options Pages

Plugin: Awesome Event Booking

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: LTL Freight Quotes – R+L Carriers Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Animated Number Counters

Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: igumbi Online Booking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.41
Recommended Action: Update to version 1.41, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: UMich OIDC Login

Plugin: Categorized Gallery Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mini Course Generator | Embed mini-courses and interactive content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Missing Authorization to Unauthenticated Information Exposure via admin_init Function
Patched Version: 2.38.9
Recommended Action: Update to version 2.38.9, or a newer patched version

Plugin: Bulk Me Now!

Plugin: Mambo Importer

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Comments – wpDiscuz

Vulnerability: Authentication Bypass via WordPress.com OAuth provider
Patched Version: 7.6.25
Recommended Action: Update to version 7.6.25, or a newer patched version

Plugin: Online Marksheet Creator : eMarksheet

Plugin: ADFO – Custom data in admin dashboard

Plugin: SMTP for SendGrid – YaySMTP

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Logs
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Vulnerability: Authenticated (Contributor+) Blind Server-Side Request Forgery via embeddoc Shortcode
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Small Package Quotes – For Customers of FedEx

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Bandsintown Events

Plugin: Ziggeo

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: MLL Audio Player MP3 Ajax

Plugin: AWcode Toolkit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: PAPERCITE

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authentication Bypass via Disqus OAuth provider
Patched Version: 7.14
Recommended Action: Update to version 7.14, or a newer patched version

Plugin: Lockets

Plugin: Give – Divi Donation Modules

Vulnerability: Sensitive Information Dislcosure
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Activity Log WinterLock

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: OPSI Israel Domestic Shipments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: AMO Team Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via amoteam_skills Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Finance

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.20
Recommended Action: Update to version 4.15.20, or a newer patched version

Plugin: List category posts

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 0.90.3
Recommended Action: Update to version 0.90.3, or a newer patched version

Plugin: Botnet Attack Blocker

Plugin: Goodlayers Core

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Age Verification for your checkout page. Verify your customer's identity

Plugin: CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Auto SEO

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Advanced Google reCAPTCHA

Vulnerability: Built-in Math CAPTCHA Bypass
Patched Version: 1.28
Recommended Action: Update to version 1.28, or a newer patched version

Plugin: LTL Freight Quotes – SAIA Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: Affiliate Tools Việt Nam

Plugin: Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: SKT Donation – Charity and Fundraising Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Cricket Live Score

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: WordPress Helpdesk & Live Chat Plugin Powered by AI – ThriveDesk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Simple Image Sizes

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Forex Calculators

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.8.1
Recommended Action: Update to version 3.0.8.1, or a newer patched version

Plugin: Newpost Catch

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Tickets and Registration

Vulnerability: Missing Authorization to Ticket Deletion
Patched Version: 5.19.1.2
Recommended Action: Update to version 5.19.1.2, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.7.1
Recommended Action: Update to version 6.7.1, or a newer patched version

Plugin: Distance Based Shipping Calculator

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: 2.0.23
Recommended Action: Update to version 2.0.23, or a newer patched version

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via xoo_el_action Shortcode
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: ApplicantPro

Plugin: Modal Window – create popup modal window

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via iframeBox Shortcode
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version

Plugin: World Cup Predictor

Plugin: PeproDev WooCommerce Receipt Uploader

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Small Package Quotes – USPS Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: WP Mailster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.21.0
Recommended Action: Update to version 1.8.21.0, or a newer patched version

Plugin: DELUCKS SEO

Vulnerability: Authenticated (Subscriber+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Push Notification for Post and BuddyPress

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version

Plugin: C9 Blocks

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Team Builder For WPBakery Page Builder(Formerly Visual Composer)

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Unauthenticated Settings Exposure
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: SMTP for Sendinblue – YaySMTP

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Logs
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Indeed Ultimate Learning Pro

Vulnerability: Authenticated (Administrator+) SQL Injection via post_id Parameter
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version

Plugin: Online Payments – Get Paid with PayPal, Square & Stripe

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.30.0
Recommended Action: Update to version 3.30.0, or a newer patched version

Plugin: 3D Photo Gallery

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Trash Duplicate and 301 Redirect

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Food – Restaurant Menu & Food ordering

Vulnerability: Restaurant Menu & Food ordering <= 3.3.2
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Pago por Redsys

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Bulk Me Now!

Vulnerability: Reflected Cross-Site Scripting via ‘status’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PAFacile

Plugin: 3D Viewer Online

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Team Builder For WPBakery Page Builder(Formerly Visual Composer)

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: reCaptcha by BestWebSoft

Vulnerability: CAPTCHA Bypass
Patched Version: 1.79
Recommended Action: Update to version 1.79, or a newer patched version

Plugin: Widget Options – The #1 WordPress Widget & Block Control Plugin

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: Small Package Quotes – Worldwide Express Edition

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.2.19
Recommended Action: Update to version 5.2.19, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.15.20
Recommended Action: Update to version 4.15.20, or a newer patched version

Plugin: WP Foodbakery

Plugin: Raptive Ads

Plugin: Upcasted S3 Offload – AWS S3, Digital Ocean Spaces, Backblaze, Minio and more

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: SMTP for Amazon SES – YaySMTP

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Logs
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: SVG Support

Vulnerability: Stored Cross-Site Scripting via Vulnerability Dependency
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: Apptivo Business Site CRM

Vulnerability: Cross-Site Request Forgery to IP Address Block
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Widget BUY.BOX

Plugin: Events Calendar Made Simple – Pie Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via piecal Shortcode
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.3.4
Recommended Action: Update to version 6.0.3.4, or a newer patched version

Plugin: Typed JS: A typewriter style animation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via typespeed Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘buddyforms_nav’ Shortcode
Patched Version: 2.8.16
Recommended Action: Update to version 2.8.16, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.