Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: 2.8.2
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.32
Recommended Action: Update to version 2.10.32, or a newer patched version
Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms
Vulnerability: Missing Authorization
Patched Version: 1.25.11
Recommended Action: Update to version 1.25.11, or a newer patched version
Plugin: Seraphinite Accelerator
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery in OnAdminApi_HtmlCheck
Patched Version: 2.21
Recommended Action: Update to version 2.21, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxDeleteCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: WP eCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Archivist – Custom Archive Templates
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Addon Library
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fontific | Google Fonts
Vulnerability: Cross-Site Request Forgery via ajax_fontific_save_all
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxAddCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Maintenance Page
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Directory Traversal to Local File Inclusion
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Colibri Page Builder
Vulnerability: Cross-Site Request Fogery via extend_builder
Patched Version: 1.0.260
Recommended Action: Update to version 1.0.260, or a newer patched version
Plugin: Live Composer – Free WordPress Website Builder
Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: 1.5.29
Recommended Action: Update to version 1.5.29, or a newer patched version
Plugin: Under Construction / Maintenance Mode from Acurax
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login as User or Customer
Vulnerability: Unauthenticated Limited Admin Account Compromise
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Dashboard: WordPress Management without the SaaS
Vulnerability: Cross-Site Request Forgery via posting_bulk
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: Adsmonetizer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Data Export
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Piotnet Forms
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.0.29
Recommended Action: Update to version 1.0.29, or a newer patched version
Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WordPress Access Control
Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Heureka
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 蜜蜂采集-BeePress 微信公众号今日头条知乎专栏简书等平台文章采集插件
Vulnerability: Cross-Site Request Forgery via beepress-pro.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Dual Button Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Jobs for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Widget for Social Page Feeds
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version
Plugin: WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
Vulnerability: Missing Authorization to Unauthenticated IP Address Whitelist
Patched Version: 4.52
Recommended Action: Update to version 4.52, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: WP Private Content Plus
Vulnerability: Protection Mechanism Bypass
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Gestpay for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) via ajax_unset_default_card
Patched Version: 20240307
Recommended Action: Update to version 20240307, or a newer patched version
Plugin: ArtiBot Free Chat Bot for WebSites
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Tabs Shortcode and Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxUpdateFolderPosition
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: BackWPup – WordPress Backup & Restore Plugin
Vulnerability: Plaintext Storage of Backup Destination Password
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Change Table Prefix
Vulnerability: Cross-Site Request Forgery via change_prefix_form
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Vulnerability: Reflected Cross-Site Scripting via plugin
Patched Version: 3.1.42
Recommended Action: Update to version 3.1.42, or a newer patched version
Plugin: Enhanced Text Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: SuperFaktura WooCommerce
Vulnerability: Authenticated (Subscriber+) Blind Server-Side Request Forgery
Patched Version: 1.40.4
Recommended Action: Update to version 1.40.4, or a newer patched version
Plugin: CodeMirror Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Missing Authorization to Unauthenticated Read Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode
Patched Version: 4.15.1
Recommended Action: Update to version 4.15.1, or a newer patched version
Plugin: LiteSpeed Cache
Vulnerability: Missing Authorization via update_cdn_status
Patched Version: 5.7.0.1
Recommended Action: Update to version 5.7.0.1, or a newer patched version
Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxRenameCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Page Restrict
Vulnerability: Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerability: Cross-Site Request Forgery via ajax_theme_activation
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Maintenance Page
Vulnerability: Security Mechanism Bypass via REST API
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Watermark RELOADED
Vulnerability: Cross-Site Request Forgery via optionsPage
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxUpdateFolderPosition
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Gestpay for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) via ajax_delete_card
Patched Version: 20240307
Recommended Action: Update to version 20240307, or a newer patched version
Plugin: Responsive Pricing Table
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.1.11
Recommended Action: Update to version 5.1.11, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: User Shortcodes Plus
Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Media Alt Renamer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via _wp_attachment_image_alt postmeta
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxAddCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Relevanssi – A Better Search
Vulnerability: Missing Authorization to Unauthenticated Query Log Export
Patched Version: 4.22.1
Recommended Action: Update to version 4.22.1, or a newer patched version
Plugin: Profile Box Shortcode And Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirects
Vulnerability: Missing Authorization via save
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CatalogX – Product Catalog Mode For WooCommerce
Vulnerability: Cross-Site Request Forgery via REST API
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: Gestpay for WooCommerce
Vulnerability: Cross-Site Request Forgery (CSRF) via ajax_set_default_card
Patched Version: 20240307
Recommended Action: Update to version 20240307, or a newer patched version
Plugin: Configure SMTP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 7.0.8
Recommended Action: Update to version 7.0.8, or a newer patched version
Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version
Plugin: Plugin Groups
Vulnerability: Missing Authorization to Unauthenticated Denial of Service
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ArtiBot Free Chat Bot for WebSites
Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Digits: WordPress Mobile Number Signup and Login
Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: 8.4.2
Recommended Action: Update to version 8.4.2, or a newer patched version
Plugin: KODO Qiniu
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Oliver POS – A WooCommerce Point of Sale (POS)
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.1.9
Recommended Action: Update to version 2.4.1.9, or a newer patched version
Plugin: Team Members
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: Comments Extra Fields For Post,Pages and CPT
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Download Media
Vulnerability: Missing Authorization via generate_link_for_media
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_qrcode Shortcode
Patched Version: 7.0.4
Recommended Action: Update to version 7.0.4, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Thumbnail Slider Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerability: Missing Authorization via templates_ajax_request
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Custom fields shortcode
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SoundCloud Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Rolo Slider
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Database Reset
Vulnerability: Cross-Site Request Forgery to WP Reset Plugin Installation
Patched Version: 3.23
Recommended Action: Update to version 3.23, or a newer patched version
Plugin: Duitku Payment Gateway
Vulnerability: Missing Authorization via check_duitku_response
Patched Version: 2.11.7
Recommended Action: Update to version 2.11.7, or a newer patched version
Plugin: Page Restriction WordPress (WP) – Protect WP Pages/Post
Vulnerability: Protection Mechanism Bypass
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Contact Form 7 – PayPal & Stripe Add-on
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Tweet
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Colibri Page Builder
Vulnerability: Cross-Site Request Fogery via cp_shortcode_refresh
Patched Version: 1.0.260
Recommended Action: Update to version 1.0.260, or a newer patched version
Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Custom Order Statuses for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Tickets and Registration
Vulnerability: Missing Authorization
Patched Version: 5.8.2
Recommended Action: Update to version 5.8.2, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxClearCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Piotnet Forms
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.0.29
Recommended Action: Update to version 1.0.29, or a newer patched version
Plugin: WP eCommerce
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Creation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.9.20
Recommended Action: Update to version 1.9.20, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Cross-Site Request Forgery via categorifyAjaxClearCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via form widget addr2_width attribute
Patched Version: 2.10.31
Recommended Action: Update to version 2.10.31, or a newer patched version
Plugin: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Table Truncation
Patched Version: 4.53
Recommended Action: Update to version 4.53, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Page Duplicator
Vulnerability: Missing Authorization to Unauthenticated Post/Page Duplication
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress
Vulnerability: Authenticated (Subscriber+) SQL Injection via ee_syncProductCategory
Patched Version: 7.0.8
Recommended Action: Update to version 7.0.8, or a newer patched version
Plugin: YML for Yandex Market
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxDeleteCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Bulk Edit Post Titles
Vulnerability: Missing Authorization via bulkUpdatePostTitles
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Comments Extra Fields For Post,Pages and CPT
Vulnerability: Missing Authorization
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerability: Cross-Site Request Forgery via ajax_plugin_activation
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Scalable Vector Graphics (SVG)
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slivery Extender
Vulnerability: Authenticated(Contributor+) Remote Code Execution via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jeg Elementor Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Missing Authorization via process_review
Patched Version: 7.5.2
Recommended Action: Update to version 7.5.2, or a newer patched version
Plugin: Ultimate Posts Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via profilepress-edit-profile Shortcode
Patched Version: 4.15.2
Recommended Action: Update to version 4.15.2, or a newer patched version
Plugin: LiteSpeed Cache
Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘nameservers’ and ‘_msg’
Patched Version: 5.7.0.1
Recommended Action: Update to version 5.7.0.1, or a newer patched version
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Missing Authorization to Unauthenticated Bookmark Status Alteration
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tainacan
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 0.20.7
Recommended Action: Update to version 0.20.7, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.31
Recommended Action: Update to version 2.10.31, or a newer patched version
Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: WooCommerce Google Sheet Connector
Vulnerability: Missing Authorization
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version
Plugin: Coming Soon Page & Maintenance Mode
Vulnerability: Maintenance Mode Bypass
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: PayU CommercePro Plugin
Vulnerability: Reflected Cross-Site Scripting via type
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: SMS Alert Order Notifications – WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 3.19.3
Recommended Action: Update to version 3.19.3, or a newer patched version
Plugin: Login With Ajax – Fast Logins, 2FA, Redirects
Vulnerability: Missing Authorization
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: Piotnet Forms
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.0.30
Recommended Action: Update to version 1.0.30, or a newer patched version
Plugin: postMash – custom post order
Vulnerability: Reflected Cross-Site Scripting via m
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Under Construction / Maintenance Mode from Acurax
Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Restrict User Access – Ultimate Membership & Content Protection
Vulnerability: Information Exposure
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Categorify – WordPress Media Library Category & File Manager
Vulnerability: Missing Authorization in categorifyAjaxRenameCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
