Watch Out Wednesday – February 5, 2025

Home » Watch Out Wednesday – February 5, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Drag and Drop Multiple File Upload for Contact Form 7

Vulnerability: Limited Arbitrary File Deletion
Patched Version: 1.3.8.6
Recommended Action: Update to version 1.3.8.6, or a newer patched version

Plugin: ParOne Feeds

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.18.0
Recommended Action: Update to version 1.18.0, or a newer patched version

Plugin: Gosign – Posts Slider Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Vulnerability: Missing Authorization to Icon Font Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Infographic Maker

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: VR-Frases (collect & share quotes)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Youtube Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Event Tickets and Registration

Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure
Patched Version: 5.18.1.1
Recommended Action: Update to version 5.18.1.1, or a newer patched version

Plugin: Promotion Slider

Plugin: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings

Vulnerability: Unauthenticated User Information Exposure
Patched Version: 8.1
Recommended Action: Update to version 8.1, or a newer patched version

Plugin: Content Cloner

Vulnerability: Missing Authorization
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later

Vulnerability: Unauthenticated Stored Cross-Site Scripting via wishlist_name Parameter
Patched Version: 1.2.26
Recommended Action: Update to version 1.2.26, or a newer patched version

Plugin: Fare Calculator

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Dispensary

Plugin: Ticketmeo – Sell Tickets – Event Ticketing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Rezgo Online Booking

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YOGO Booking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: HT Event – WordPress Event Manager Plugin for Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via HT Event: Sponsor
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: QA Analytics – with Heatmaps & Replay, Privacy Friendly

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: 4.1.1.2
Recommended Action: Update to version 4.1.1.2, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Simple User Registration

Vulnerability: Missing Authorization to Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: Order Export for WooCommerce

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 3.25
Recommended Action: Update to version 3.25, or a newer patched version

Plugin: Shortcode for Current Date

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 31.4
Recommended Action: Update to version 31.4, or a newer patched version

Plugin: SeedProd Pro

Vulnerability: Authenticated (Editor+) Remote Code Execution
Patched Version: 6.18.14
Recommended Action: Update to version 6.18.14, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)
Patched Version: 4.8.8
Recommended Action: Update to version 4.8.8, or a newer patched version

Plugin: Responsive Blocks – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via section_tag Parameter
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Missing Authorization to Unauthenticated Event Ticket Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VR-Frases (collect & share quotes)

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: aThemes Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Internal Link Builder

Plugin: Responsive Blocks – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 25.1.2
Recommended Action: Update to version 25.1.2, or a newer patched version

Plugin: Mark Posts

Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Embed Swagger UI

Plugin: Live2DWebCanvas

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Help Scout

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Image Generator for Your Content & Featured Images – AI Postpix

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.1.8.1
Recommended Action: Update to version 1.1.8.1, or a newer patched version

Plugin: Traveler Code

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SMSA Shipping (official)

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DSGVO All in one for WP

Vulnerability: Cross-Site Request Forgery to Account Deletion
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Team Rosters

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Legull

Plugin: Link Fixer

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP SVG Images

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Missing Authorization Checks
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Torod – The smart shipping and delivery portal for e-shops and retailers

Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: 워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Vulnerability: Reflected Cross-Site Scripting via add_query_arg Function
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: JS Help Desk – The Ultimate Help Desk & Support Plugin

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: Wise Forms

Plugin: Table Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Custom Related Posts

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Private Post Search and Relation Updates
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Clinked Client Portal

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Hesabfa Accounting

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WC Affiliate – A Complete WooCommerce Affiliate Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Spotlightr

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.1.12
Recommended Action: Update to version 0.1.12, or a newer patched version

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Bookings Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Track Logins

Plugin: Wonder FontAwesome

Plugin: CP Contact Form with PayPal

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.53
Recommended Action: Update to version 1.3.53, or a newer patched version

Plugin: Contact Form and Calls To Action by vcita

Plugin: WP Image Uploader

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Site Search 360

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: StageShow

Plugin: Product Carousel For WooCommerce – WoorouSell

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WooCommerce Product Table Lite

Vulnerability: Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Post Carousel Slider

Plugin: Safe Ai Malware Protection for WP

Vulnerability: Missing Authorization to Unauthenticated Database Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Table Manager

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Podcast RSS Feed
Patched Version: 5.9.4
Recommended Action: Update to version 5.9.4, or a newer patched version

Plugin: Music Sheet Viewer

Vulnerability: Unauthenticated Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Vulnerability: Unauthenticated Wishlist Disclosure via download_pdf_file Function
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: ECPay Ecommerce for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Food Store – Online Food Delivery & Pickup

Plugin: Infility Global

Vulnerability: Reflected Cross-Site Scripting via set_type Parameter
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: eHive Objects Image Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: SmartAgenda – Prise de rendez-vous en ligne

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Image Uploader

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Missing Authorization to Unauthenticated Form Submission Download
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Arena.IM – Live Blogging for real-time events

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.4.0
Recommended Action: Update to version 0.4.0, or a newer patched version

Plugin: Chalet-Montagne.com Tools

Plugin: iControlWP

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.25
Recommended Action: Update to version 3.8.25, or a newer patched version

Plugin: WE – Testimonial Slider

Plugin: Bold pagos en linea

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)

Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure via UA_Template Shortcode
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Arena.IM – Live Blogging for real-time events

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via arena_embed_amp Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Support Ticket System

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Information Exposure
Patched Version: 17.9
Recommended Action: Update to version 17.9, or a newer patched version

Plugin: WordThumb

Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 4.0.9.8
Recommended Action: Update to version 4.0.9.8, or a newer patched version

Plugin: SeatReg

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.56.1
Recommended Action: Update to version 1.56.1, or a newer patched version

Plugin: All Bootstrap Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.27
Recommended Action: Update to version 1.3.27, or a newer patched version

Plugin: Huurkalender WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Charity Addon for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stratum – Elementor Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting Vulnerability via Image Hotspot Widget
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Unauthenticated Limited Local File Inclusion
Patched Version: 4.2.15
Recommended Action: Update to version 4.2.15, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.0.10, 3.0.13

Plugin: Dynamic URL SEO

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations

Vulnerability: Missing Authorization to Unauthenticated Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Team Rosters

Vulnerability: Reflected Cross-Site Scripting via ‘tab’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Setting Reset
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Media Manager for UserPro

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Alex Reservations: Smart Restaurant Booking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Single-user-chat

Vulnerability: Authenticated (Subscriber+) Limited Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: W2S – Migrate WooCommerce to Shopify

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Thim Elementor Kit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9.1
Recommended Action: Update to version 1.2.9.1, or a newer patched version

Plugin: MultiLoca – WooCommerce Multi Locations Inventory Management

Vulnerability: WooCommerce Multi Locations Inventory Management <= 4.1.11
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Plugin: Guten Free Options

Plugin: Issuu Panel

Plugin: Music Sheet Viewer

Plugin: CF7 Google Sheets Connector

Vulnerability: Missing Authorization
Patched Version: 5.0.18
Recommended Action: Update to version 5.0.18, or a newer patched version

Plugin: Ai Image Alt Text Generator for WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Vulnerability: GT3 Image Gallery & Gutenberg Block Gallery <= 2.7.7.24
Patched Version: 2.7.7.25
Recommended Action: Update to version 2.7.7.25, or a newer patched version

Plugin: MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Vulnerability: Missing Authorization to Unauthenticated Privilege Escalation
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version

Plugin: WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version

Plugin: Oshine Modules

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 3.3.8
Recommended Action: Update to version 3.3.8, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter
Patched Version: 1.9.3.2
Recommended Action: Update to version 1.9.3.2, or a newer patched version

Plugin: Starter Templates by FancyWP

Vulnerability: Unauthenticated Blind Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DigiTimber cPanel Integration

Vulnerability: Cross-Site Request Forgery to Stored Cross-site Scripting
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Contact Form and Calls To Action by vcita

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Contact/Widget Toggle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Shortcode
Patched Version: 3.25.11
Recommended Action: Update to version 3.25.11, or a newer patched version

Plugin: zStore Manager Basic

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Cache Clearing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Review Deletion
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Contact Form & SMTP Plugin for WordPress by PirateForms

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: HTML5 chat

Plugin: System Dashboard

Vulnerability: Reflected Cross-Site Scripting via Filename Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FlashCounter

Plugin: WP DataTable

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 0.2.7
Recommended Action: Update to version 0.2.7, or a newer patched version

Plugin: Meta Tag Manager

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: CPO Content Types

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Unlimited Theme Addon For Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Limited Unauthenticated Stored Cross-Site Scripting via File Upload
Patched Version: 1.7.43
Recommended Action: Update to version 1.7.43, or a newer patched version

Plugin: Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out

Vulnerability: Missing Authorization to Authenticated (Subsciber+) Log Deletion and Session Termination
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Company Deletion
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: WordPress Signature

Plugin: ARS Affiliate Page Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Sales Page Addon – Elementor & Beaver Builder

Plugin: Media Manager for UserPro

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SKT Blocks – Gutenberg based Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Royal Core

Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Insecure Direct Object Reference to Unauthenticated Company Logo Deletion
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Email Sending
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Authenticated (Patient+) Insecure Direct Object Reference
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: MagicForm

Vulnerability: WordPress Form Builder <= 1.6.2
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Food Menu – Restaurant Menu & Online Ordering for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Opti Marketing

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: Ni Sales Commission For WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Commission Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nirweb support

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.14
Recommended Action: Update to version 2.8.14, or a newer patched version

Plugin: Automatically Hierarchic Categories in Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Link Whisper Free

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 0.7.9
Recommended Action: Update to version 0.7.9, or a newer patched version

Plugin: Full Circle

Plugin: Qi Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: Forge – Front-End Page Builder

Vulnerability: Cross-Site Request Forgery to Stored Cross-site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Broadstreet

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via zone Parameter
Patched Version: 1.51.1
Recommended Action: Update to version 1.51.1, or a newer patched version

Plugin: WP BASE Booking of Appointments, Services and Events

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.1.0
Recommended Action: Update to version 5.1.0, or a newer patched version

Plugin: B Slider- Gutenberg Slider Block for WP

Vulnerability: Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode
Patched Version: 1.1.24
Recommended Action: Update to version 1.1.24, or a newer patched version

Plugin: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: MBE eShip

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: WP Post List Table

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Frictionless

Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Manager

Vulnerability: Unauthenticated Arbitrary Double File Extension Upload
Patched Version: 8.6.5
Recommended Action: Update to version 8.6.5, or a newer patched version

Plugin: Document Block – Upload & Embed Docs, PDF, PPT, XLS or Any Documents

Plugin: Simple Link Directory

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 8.4.6
Recommended Action: Update to version 8.4.6, or a newer patched version

Plugin: Traveler Layout Essential For Elementor

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple:Press Forum

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.10.12
Recommended Action: Update to version 6.10.12, or a newer patched version

Plugin: Payment Gateway Per Product for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.5.9
Recommended Action: Update to version 3.5.9, or a newer patched version

Plugin: MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: which template file

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Tags to Keywords

Vulnerability: Cross-Site Request Forgery to Stored Cross-site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: ClickDesigns

Vulnerability: Missing Authorization to API Key Modification or Removal
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: ShopSite

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: Zarinpal Paid Download

Plugin: BoomBox Theme Extensions

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Gwolle Guestbook

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: Missing Authorization
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: PKT1 Centro de envios

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Traveler Code

Vulnerability: Unauthenticated Arbitrary SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Unlimited Page Sidebars

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.2.7
Recommended Action: Update to version 0.2.7, or a newer patched version

Plugin: OWL Carousel Slider

Plugin: ELEX WordPress HelpDesk & Customer Ticketing System

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Target Video Easy Publish

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via brid_override_yt Shortcode
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Pulsating Chat Button

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Scroll Styler

Plugin: Infility Global

Vulnerability: Authenticated (Subscriber+) Missing Authorization to Plugin Options Update
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 1.27.13
Recommended Action: Update to version 1.27.13, or a newer patched version

Plugin: Media Library Folders

Vulnerability: Authenticated (Subscriber+) Second-Order SQL Injection
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: 4.8.8
Recommended Action: Update to version 4.8.8, or a newer patched version

Plugin: Divi Torque Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Medical Addon for Elementor

Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via heading tag
Patched Version: 2.7.4.5
Recommended Action: Update to version 2.7.4.5, or a newer patched version

Plugin: Tube Video Ads Lite

Plugin: EthereumICO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ethereum-ico Shortcode
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Sensly Online Presence

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bilingual Linker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Animator – Scroll Triggered Animations

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version

Plugin: SSL Wireless SMS Notification

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Authentication Bypass
Patched Version: 6.26.4
Recommended Action: Update to version 6.26.4, or a newer patched version

Plugin: Typer Core

Plugin: Push Notification for Post and BuddyPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.08
Recommended Action: Update to version 2.08, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Muslim Prayer Time BD – Prayer Reminder for Bangladesh

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Morkva UA Shipping

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.0.20
Recommended Action: Update to version 1.0.20, or a newer patched version

Plugin: WP Sessions Time Monitoring Full Automatic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Designer – Elementor Addons

Plugin: Kona Gallery Block

Plugin: WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Stockdio Historical Chart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.19
Recommended Action: Update to version 2.8.19, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Be POPIA Compliant

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: WPRadio – WordPress Radio Streaming Plugin

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update (save_addon_key_license)
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Duplicate Post, Page and Any Custom Post

Vulnerability: Authenticated (Contributor+) Post Disclosure via Post Duplication
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting via Title Parameter
Patched Version: 1.38.3
Recommended Action: Update to version 1.38.3, or a newer patched version

Plugin: VR-Frases (collect & share quotes)

Plugin: GoHero Store Customizer for WooCommerce

Vulnerability: Missing Authorization to Unuthenticated Settings Update
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Contributor+) User Meta Disclosure
Patched Version: 2.12.9
Recommended Action: Update to version 2.12.9, or a newer patched version

Plugin: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version

Plugin: Hide Shipping Method For WooCommerce

Plugin: Arena.IM – Live Blogging for real-time events

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Image Uploader

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.