Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms
Vulnerability: Kali Forms <= 2.3.36
Patched Version: 2.3.37
Recommended Action: Update to version 2.3.37, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: IP Spoofing
Patched Version: 8.6.01.005
Recommended Action: Update to version 8.6.01.005, or a newer patched version
Plugin: Woocommerce Vietnam Checkout
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.15
Recommended Action: Update to version 2.7.15, or a newer patched version
Plugin: Form builder to get in touch with visitors and grow your email list — Happyforms
Vulnerability: Missing Authorization
Patched Version: 1.25.11
Recommended Action: Update to version 1.25.11, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 18.5.10
Recommended Action: Update to version 18.5.10, or a newer patched version
Plugin: Fatal Error Notify
Vulnerability: Cross-Site Request Forgery to Test Error Email Sending
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Missing Authorization
Patched Version: 1.0.6.2
Recommended Action: Update to version 1.0.6.2, or a newer patched version
Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block
Vulnerability: Unauthenticated SQL Injection via id
Patched Version: 2.5.25
Recommended Action: Update to version 2.5.25, or a newer patched version
Plugin: CalculatorPro Calculators
Vulnerability: Reflected Cross-Site Scripting via CP_preview_calc
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Coupon Referral Program
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Starbox – the Author Box for Humans
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Display Name and Social Settings
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Restrict Usernames Emails Characters
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Missing Authorization
Patched Version: 1.0.8.2
Recommended Action: Update to version 1.0.8.2, or a newer patched version
Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Vulnerability: Improper Authorization to Unauthenticated Arbitrary File Download
Patched Version: 1.15.9
Recommended Action: Update to version 1.15.9, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Vulnerability: Missing Authorization via bdt_duplicate_as_draft
Patched Version: 5.4.12
Recommended Action: Update to version 5.4.12, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Improper Input Validation via save_event_booking
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Heateor Social Login WordPress
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.31
Recommended Action: Update to version 1.1.31, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Missing Authorization via add_row_actions
Patched Version: 3.10.2
Recommended Action: Update to version 3.10.2, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: Starbox – the Author Box for Humans
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source
Patched Version: 4.23.6
Recommended Action: Update to version 4.23.6, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.1.6
Recommended Action: Update to version 5.1.6, or a newer patched version
Plugin: Product Labels For Woocommerce (Sale Badges)
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Missing Authorization to Unauthenticated Privilege Escalation
Patched Version: 3.05.1
Recommended Action: Update to version 3.05.1, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Missing Authorization via restore_records()
Patched Version: 8.5.7
Recommended Action: Update to version 8.5.7, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Missing Authorization
Patched Version: 4.0.26
Recommended Action: Update to version 4.0.26, or a newer patched version
Plugin: Smart Forms – when you need more than just a contact form
Vulnerability: Missing Authorization
Patched Version: 2.6.87
Recommended Action: Update to version 2.6.87, or a newer patched version
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Cross-Site Request Forgery to Plugin Options Update
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Persian Fonts
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Meta Box
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.3
Recommended Action: Update to version 5.9.3, or a newer patched version
Plugin: Polls CP
Vulnerability: Unauthenticated Poll Limit Bypass
Patched Version: 1.0.72
Recommended Action: Update to version 1.0.72, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Missing Authorization to Settings Import
Patched Version: 4.0.12
Recommended Action: Update to version 4.0.12, or a newer patched version
Plugin: Advanced iFrame
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2024.0
Recommended Action: Update to version 2024.0, or a newer patched version
Plugin: Five Star Restaurant Reviews
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Review URL
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options
Patched Version: 1.1.4.1
Recommended Action: Update to version 1.1.4.1, or a newer patched version
Plugin: Apollo13 Framework Extensions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.1.4
Recommended Action: Update to version 5.1.4, or a newer patched version
Plugin: Ultra Companion – Companion plugin for WPoperation Themes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Icons Font Loader – Load Various Web Fonts & Icons on WP
Vulnerability: Authenticated(Administrator+) Arbitrary File Upload
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: TelSender – Wp to telegram СF 7, Events, Wpforms, Ninja forms, Wooccommerce
Vulnerability: Missing Authorization
Patched Version: 1.14.12
Recommended Action: Update to version 1.14.12, or a newer patched version
Plugin: WP Dummy Content Generator
Vulnerability: Missing Authorization
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Unauthenticated Second Order SQL Injection
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: Optimize Database after Deleting Revisions
Vulnerability: Cross-Site Request Forgery via ‘odb_start_manually’
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Missing Authorization via Several Functions
Patched Version: 1.1.4.1
Recommended Action: Update to version 1.1.4.1, or a newer patched version
Plugin: Knowledge Base – Excellent Documentation and FAQs Plugin with AI Assistance
Vulnerability: Unauthenticated PHP Object Injection in is_article_recently_viewed
Patched Version: 11.31.0
Recommended Action: Update to version 11.31.0, or a newer patched version
Plugin: Accessibility
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Improper Authorization via submit_review
Patched Version: 5.39.0
Recommended Action: Update to version 5.39.0, or a newer patched version
Plugin: Gutenberg Block Editor Toolkit – EditorsKit
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.40.4
Recommended Action: Update to version 1.40.4, or a newer patched version
Plugin: WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore
Vulnerability: PHP Object Injection via wopb_wishlist and wopb_compare
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: WooCommerce Conversion Tracking
Vulnerability: Missing Authorization via wcct_install_happy_addons
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version
Plugin: Mighty Addons for Elementor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chartify – WordPress Chart Plugin
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Quicksand Post Filter jQuery Plugin
Vulnerability: Cross-Site Request Forgery via renderAdmin
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 3D Tag Cloud
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.6.2
Recommended Action: Update to version 1.0.6.2, or a newer patched version
Plugin: Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Vulnerability: Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: OWL Carousel – WordPress Owl Carousel Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Missing Authorization via set_starred()
Patched Version: 8.5.7
Recommended Action: Update to version 8.5.7, or a newer patched version
Plugin: Admin Menu Editor
Vulnerability: Cross-Site Request Forgery via ajax_hide_hint()
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: Cross-Site Scripting
Patched Version: 8.6.01.005
Recommended Action: Update to version 8.6.01.005, or a newer patched version
Plugin: Relevanssi – A Better Search (Pro)
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.25
Recommended Action: Update to version 2.25, or a newer patched version
Plugin: Shariff Wrapper
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version
Plugin: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
Vulnerability: Missing Authorization via accept_terms_of_service
Patched Version: 9.7.12
Recommended Action: Update to version 9.7.12, or a newer patched version
Plugin: Quiz Maker
Vulnerability: Missing Authorization to Unauthenticated Quiz Data Retrieval
Patched Version: 6.5.2.5
Recommended Action: Update to version 6.5.2.5, or a newer patched version
Plugin: PPOM – Product Addons & Custom Fields for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 32.0.10
Recommended Action: Update to version 32.0.10, or a newer patched version
Plugin: LearnDash LMS
Vulnerability: Sensitive Information Exposure via API
Patched Version: 4.10.2
Recommended Action: Update to version 4.10.2, or a newer patched version
Plugin: WP Club Manager – WordPress Sports Club Plugin
Vulnerability: Missing Authorization to Unauthenticated Event Permalink Update
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version
Plugin: Themify Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.0.6
Recommended Action: Update to version 7.0.6, or a newer patched version
Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Vulnerability: Incorrect Authorization via bdt_duplicate_as_draft
Patched Version: 3.11.11
Recommended Action: Update to version 3.11.11, or a newer patched version
Plugin: PilotPress
Vulnerability: Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions
Patched Version: 2.0.31
Recommended Action: Update to version 2.0.31, or a newer patched version
Plugin: Custom User CSS
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.12.12
Recommended Action: Update to version 1.12.12, or a newer patched version
Plugin: WP 404 Auto Redirect to Similar Post
Vulnerability: Reflected Cross-Site Scripting via request
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.2
Recommended Action: Update to version 1.58.2, or a newer patched version
Plugin: A no-code page builder for beautiful performance-based content
Vulnerability: Cross-Site Request Forgery via handleRequest
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wonder Slider Lite
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version
Plugin: LearnDash LMS
Vulnerability: Sensitive Information Exposure via assignments
Patched Version: 4.10.2
Recommended Action: Update to version 4.10.2, or a newer patched version
Plugin: Scheduling Plugin – Online Booking for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Photo Album Plus
Vulnerability: Insecure Direct Object Reference
Patched Version: 8.6.01.005
Recommended Action: Update to version 8.6.01.005, or a newer patched version
Plugin: ERE Recently Viewed – Essential Real Estate Add-On
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce
Vulnerability: Missing Authorization via checkout_map_rules_order_ajax_handler
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: Minimal Coming Soon – Coming Soon Page
Vulnerability: Unauthenticated Maintenance Mode Bypass
Patched Version: 2.38
Recommended Action: Update to version 2.38, or a newer patched version
Plugin: AI Popup
Vulnerability: Authenticated (Admin+) Directory Traversal to Limited Local File Inclusion
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Vulnerability: Missing Authorization via seedprod_lite_new_lpage
Patched Version: 6.15.22
Recommended Action: Update to version 6.15.22, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.14.4
Recommended Action: Update to version 4.14.4, or a newer patched version
Plugin: Load More Anything
Vulnerability: Missing Authorization to Plugin Settings Modification
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Authentication Bypass via Password Reset
Patched Version: 7.1.9.8
Recommended Action: Update to version 7.1.9.8, or a newer patched version
Plugin: Advanced Forms for ACF
Vulnerability: Missing Authorization to Unauthenticated Form Settings Export
Patched Version: 1.9.3.3
Recommended Action: Update to version 1.9.3.3, or a newer patched version
Plugin: Mendeley Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz Maker
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification
Patched Version: 6.5.2.5
Recommended Action: Update to version 6.5.2.5, or a newer patched version
Plugin: FG Joomla to WordPress
Vulnerability: Cross-Site Request Forgery via ajax_importer
Patched Version: 4.17.0
Recommended Action: Update to version 4.17.0, or a newer patched version
Plugin: Click To Tweet
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Property Hive
Vulnerability: Missing Authorization via activate_pro_feature
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: WP Hotel Booking
Vulnerability: Improper Authorization on Multiple REST API Routes
Patched Version: 2.0.9.3
Recommended Action: Update to version 2.0.9.3, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.8
Recommended Action: Update to version 5.9.8, or a newer patched version
Plugin: PowerPack Pro for Elementor
Vulnerability: Missing Authorization to Settings Reset
Patched Version: 2.10.8
Recommended Action: Update to version 2.10.8, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.230
Recommended Action: Update to version 2.10.230, or a newer patched version
Plugin: JTRT Responsive Tables
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: 7.1.9.8
Recommended Action: Update to version 7.1.9.8, or a newer patched version
Plugin: TablePress – Tables in WordPress made easy
Vulnerability: Authenticated(Author+) Server Side Request Forgery(SSRF) via _get_import_files
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Wp-Adv-Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Quiz Title
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.27
Recommended Action: Update to version 2.2.27, or a newer patched version
Plugin: Page Restrict
Vulnerability: Cross-Site Request Forgery via pr_admin_page
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woostify Sites Library
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: WP-CFM
Vulnerability: Cross-Site Request Forgery via multiple AJAX functions
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Vulnerability: Missing Authorization
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting via ‘link_price’ and ‘link_tags’
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version
Plugin: Structured Content (JSON-LD) #wpsc
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Classic Editor Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship
Vulnerability: Reflected Cross-Site Scripting via biteship_error and biteship_message
Patched Version: 2.2.25
Recommended Action: Update to version 2.2.25, or a newer patched version
Plugin: Seraphinite Accelerator
Vulnerability: Unauthenticated Sensitive Information Exposure via Log File
Patched Version: 2.20.48
Recommended Action: Update to version 2.20.48, or a newer patched version
Plugin: Portugal CTT Tracking for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: PopupAlly
Vulnerability: Cross-Site Request Forgery via optin_submit_callback
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Unlimited Addons for WPBakery Page Builder
Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Podlove Podcast Publisher
Vulnerability: Missing Authorization to Unauthenticated Data Export
Patched Version: 4.0.12
Recommended Action: Update to version 4.0.12, or a newer patched version
Plugin: PDF Invoices & Packing Slips for WooCommerce
Vulnerability: Authenticated (Shop Manager+) SQL Injection
Patched Version: 3.7.7
Recommended Action: Update to version 3.7.7, or a newer patched version
Plugin: Debug
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version
Plugin: LearnDash LMS
Vulnerability: Sensitive Information Exposure via API
Patched Version: 4.10.3
Recommended Action: Update to version 4.10.3, or a newer patched version
Plugin: Post Thumbnail Editor
Vulnerability: Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Listings – Car Listings & Car Dealership Plugin for WordPress
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Captcha Code
Vulnerability: Captcha Bypass
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: Contact Form 7 Connector
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: PT Sign Ups – Beautiful volunteer sign ups and management made easy
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Scroll Triggered Box
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: First Order Discount Woocommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.22
Recommended Action: Update to version 1.22, or a newer patched version
Plugin: Add Customer for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Missing Authorization
Patched Version: 0.9.95
Recommended Action: Update to version 0.9.95, or a newer patched version
Plugin: Wp-Adv-Quiz
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Quiz Question and Message
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Quicksand Post Filter jQuery Plugin
Vulnerability: Missing Authorization via quicksand_admin_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beds24 Online Booking
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.24
Recommended Action: Update to version 2.0.24, or a newer patched version
Plugin: Don't Muck My Markup
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Captcha Bypass
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.53
Recommended Action: Update to version 1.2.53, or a newer patched version
Plugin: Property Hive
Vulnerability: Unauthenticated PHP Object Injection via propertyhive_currency
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Booking Calendar | Appointment Booking | Bookit
Vulnerability: Price Bypass
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.1.9.8
Recommended Action: Update to version 7.1.9.8, or a newer patched version
Plugin: EventON Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version
Plugin: W3SPEEDSTER
Vulnerability: Cross-Site Request Forgery via launch
Patched Version: 7.20
Recommended Action: Update to version 7.20, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Cross-Site Request Forgery
Patched Version: 21.2.9
Recommended Action: Update to version 21.2.9, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version
Plugin: PowerPack Pro for Elementor
Vulnerability: Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting
Patched Version: 2.10.8
Recommended Action: Update to version 2.10.8, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Cross-Site Request Forgery via review_nag_check
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: WordPress Toolbar
Vulnerability: Open Redirect via wptbto
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: System Dashboard
Vulnerability: Missing Authorization to Information Disclosure (sd_option_value)
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Disabled Membership Registration Bypass
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: 4.0.25
Recommended Action: Update to version 4.0.25, or a newer patched version
Plugin: GDPR Data Request Form
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: MW WP Form
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 5.1.0
Recommended Action: Update to version 5.1.0, or a newer patched version
Plugin: Podlove Subscribe button
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version
Plugin: Polls CP
Vulnerability: Unauthenticated Content Injection
Patched Version: 1.0.72
Recommended Action: Update to version 1.0.72, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Missing Authorization via set_read()
Patched Version: 8.5.7
Recommended Action: Update to version 8.5.7, or a newer patched version
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 6.9.5
Recommended Action: Update to version 6.9.5, or a newer patched version
Plugin: Product Enquiry for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Anonymous Restricted Content
Vulnerability: Protection Mechanism Bypass
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.05.1
Recommended Action: Update to version 3.05.1, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.17
Recommended Action: Update to version 4.10.17, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 4.70
Recommended Action: Update to version 4.70, or a newer patched version
Plugin: JetBackup – WP Backup, Migrate & Restore
Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 2.0.9.9
Recommended Action: Update to version 2.0.9.9, or a newer patched version
Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore
Vulnerability: Sensitive Information Exposure via cache files
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Link Library
Vulnerability: Cross-Site Request Forgery via action_admin_init
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version
Plugin: WooCommerce Box Office
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data
Patched Version: 1.0.93.2
Recommended Action: Update to version 1.0.93.2, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.