Watch Out Wednesday – January 15, 2025

Home » Watch Out Wednesday – January 15, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: MAS Elementor

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Mapper

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form 7 Database – CFDB7

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.3.4
Recommended Action: Update to version 3.7.3.4, or a newer patched version

Plugin: wplms-plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.9.9.5.3
Recommended Action: Update to version 1.9.9.5.3, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.19.4
Recommended Action: Update to version 3.19.4, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Sensitive Information Exposure via Imported Subscribers CSV File
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kintpv Wooconnect

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LSX Tour Operator

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Newsletter2Go

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Style Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Autocompleter

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Auction Plugin

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP SPID Italia

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Standard Box Sizes – for WooCommerce

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Preloader by WordPress Monsters

Plugin: Accessibility by AllAccessible

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event

Vulnerability: Information Exposure Via Visitors List Export
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Project Showcase – A WordPress Plugin to Display Projects in Various Layouts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Cost Calculator Builder

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 3.2.43
Recommended Action: Update to version 3.2.43, or a newer patched version

Plugin: odPhotogalleryPlugin

Plugin: Typebot

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Custom Dashboard Widget

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: MyOrderDesk

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: CF Internal Link Shortcode

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.8
Recommended Action: Update to version 6.0.8, or a newer patched version

Plugin: Ledenbeheer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: GS Shots for Dribbble

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Authenticated (Subscriber+) Missing Authorization to Server-Side Request Forgery
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: WP MediaTagger

Plugin: EO4WP: EmailOctopus for WordPress

Plugin: ResAds

Vulnerability: Reflected Cross-Site Scripting via Multiple Parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slotti Ajanvaraus

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: 1.17.6
Recommended Action: Update to version 1.17.6, or a newer patched version

Plugin: Sinking Dropdowns WordPress

Plugin: VibeBP

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.9.9.5.1
Recommended Action: Update to version 1.9.9.5.1, or a newer patched version

Plugin: Classic Addons – WPBakery Page Builder

Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WP SecureSubmit

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Files Download Delay

Plugin: BVD Easy Gallery Manager

Plugin: Data Tables Generator by Supsystic

Vulnerability: Missing Authorization
Patched Version: 1.10.37
Recommended Action: Update to version 1.10.37, or a newer patched version

Plugin: wpSOL

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Coins MarketCap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5.9
Recommended Action: Update to version 5.5.9, or a newer patched version

Plugin: Linear

Plugin: Download Manager

Vulnerability: Missing Authorization
Patched Version: 3.3.04
Recommended Action: Update to version 3.3.04, or a newer patched version

Plugin: Elevio

Plugin: Goodlayers Core

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Missing Authorization to Order Updates
Patched Version: 5.7.9
Recommended Action: Update to version 5.7.9, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 24.0.4
Recommended Action: Update to version 24.0.4, or a newer patched version

Plugin: WPBookit

Vulnerability: Unauthenticated Arbitrary User Password Change
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Top Comments

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VibeBP

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.9.9.7.7
Recommended Action: Update to version 1.9.9.7.7, or a newer patched version

Plugin: Transporters.io

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Easy Language Switcher

Plugin: Post Duplicator

Vulnerability: Authenticated (Contributor+) Protected Post Disclosure
Patched Version: 2.37
Recommended Action: Update to version 2.37, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion
Patched Version: 4.25.0
Recommended Action: Update to version 4.25.0, or a newer patched version

Plugin: Embed PDF Viewer

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Fast Tube

Plugin: Piotnet Addons For Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Heading Widget
Patched Version: 2.4.32
Recommended Action: Update to version 2.4.32, or a newer patched version

Plugin: Mang Board WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: No subtitle
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Plugin: GS Insever Portfolio

Vulnerability: Missing Authorization to Authenticated (Subscriber+) CSS Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘booking’ Shortcode
Patched Version: 10.9.3
Recommended Action: Update to version 10.9.3, or a newer patched version

Plugin: Deliver via Shipos for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via dvsfw_bulk_label_url Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Member Directory and Contact Form

Vulnerability: Missing Authorization
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Missing Authorization
Patched Version: 0.9.107
Recommended Action: Update to version 0.9.107, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Addons for Elementor <= 5.10.14
Patched Version: 5.10.15
Recommended Action: Update to version 5.10.15, or a newer patched version

Plugin: ECT Home Page Products

Plugin: JobBoard Job listing plugin

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Ultimate Learning Pro

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Unauthenticated Database Back-Up Exposure
Patched Version: 7.4
Recommended Action: Update to version 7.4, or a newer patched version

Plugin: RRAddons for Elementor

Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Product tabs for WooCommerce

Vulnerability: Authenticated (Shop Manager+) PHP Object Injection
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Notify Odoo

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: SureForms – Drag and Drop Form Builder for WordPress

Vulnerability: Missing Authorization to Unauthenticated Protected Post Disclosure
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Highlight Sitewide Notice, Text, Button Menu

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: SEMA API

Vulnerability: Reflected Cross-Site Scripting via catid Parameter
Patched Version: 5.30
Recommended Action: Update to version 5.30, or a newer patched version

Plugin: WP jQuery DataTable

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Themify Audio Dock

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Gulri Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.9
Recommended Action: Update to version 3.5.9, or a newer patched version

Plugin: User Referral ( Free ) – Points, Rewards, Loyalty, Leader Board & Referrals Plugin

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: EMC2 Alert Boxes

Plugin: Hestia Nginx Cache

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups

Vulnerability: Missing Authorization to Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Spotlightr

Plugin: MashShare – Social Media Share Buttons, Social Share Icons

Plugin: MIMO Woocommerce Order Tracking

Vulnerability: Missing Authorization to Limited Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: A5 Custom Login Page

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: One to one user Chat by WPGuppy

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: VibeBP

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.9.9.5
Recommended Action: Update to version 1.9.9.5, or a newer patched version

Plugin: AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.97.0
Recommended Action: Update to version 1.97.0, or a newer patched version

Plugin: Upload Scanner

Plugin: InfiniteWP Client

Vulnerability: Unauthenticated Limited Directory Traversal to Arbitrary .txt File Reading
Patched Version: 1.13.1
Recommended Action: Update to version 1.13.1, or a newer patched version

Plugin: Coupon Plugin

Plugin: WordPress Header Builder Plugin – Pearl

Vulnerability: Cross-Site Request Forgery to Header Deletion
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Plugin: AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Twitter Bootstrap Collapse aka Accordian Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive FlipBook Plugin WordPress

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leads CRM for WordPress WooCommerce

Plugin: Post Grid Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.19
Recommended Action: Update to version 2.0.19, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Missing Authorization
Patched Version: 4.10.57
Recommended Action: Update to version 4.10.57, or a newer patched version

Plugin: Wishlist for WooCommerce: Multi Wishlists Per Customer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Woocommerce check pincode/zipcode for shipping

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CLUEVO LMS, E-Learning Platform

Plugin: Super Backup & Clone – Migrate for WordPress

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Pronamic Google Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: DynamicTags

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php
Patched Version: 4.24.14
Recommended Action: Update to version 4.24.14, or a newer patched version

Plugin: Yumpu E-Paper publishing

Plugin: JSP Store Locator

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide Category by User Role for WooCommerce

Plugin: Skyword API Plugin

Plugin: Chative Live chat and Chatbot

Vulnerability: Cross-Site Request Forgery via add_chative_widget_action Function
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: ConvertCalculator for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Interactive UK Map

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version

Plugin: Wizhi Multi Filters by Wenprise

Plugin: Trackserver

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Privacy Policy Genius

Plugin: ElementsCSS Addons for Elementor (Elementor Widgets Extender & Addons)

Plugin: Just Writing Statistics

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Canvasflow for WordPress

Plugin: Partners

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential WP Real Estate

Vulnerability: Missing Authorization to Arbitrary Post/Page Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pósturinn's Shipping with WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Ashe Extra

Vulnerability: Missing Authorization
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Tabulate

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Plugin: Garden Gnome Package

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes

Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Envato Elements – Photos & Elementor Templates

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Horoscope And Tarot

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: ProductDyno

Plugin: Tidy Up

Plugin: Compact WP Audio Player

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version

Plugin: WooCommerce – PDF Vouchers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.9
Recommended Action: Update to version 4.9.9, or a newer patched version

Plugin: CRM WordPress Plugin – RepairBuddy

Vulnerability: Authenticated (Customer+) Privilege Esclation via Account Takeover
Patched Version: 3.8120
Recommended Action: Update to version 3.8120, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.0.12
Recommended Action: Update to version 3.0.12, or a newer patched version

Plugin: Inline Footnotes

Plugin: Smart Shopify Product

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)

Plugin: WPAchievements Free

Plugin: Super Backup & Clone – Migrate for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Plugin: BU Section Editing

Vulnerability: Reflected Cross-Site Scripting via [placeholder]
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WhatsApp 🚀 click to chat

Plugin: SearchIQ – The Search Solution

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Smart Agenda – Prise de rendez-vous en ligne

Plugin: Grid Accordion Lite

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Missing Authorization
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: No subtitle
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Move Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: 5centsCDN – WordPress CDN Plugin

Plugin: Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates

Vulnerability: Missing Authorization to Infinite Money Glitch
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: WPKoi Templates for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: SvegliaT Buttons

Plugin: TCBD Auto Refresher

Plugin: Super Backup & Clone – Migrate for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: WP MediaTagger

Plugin: Chatroll Live Chat

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Dynamic Product Category Grid, Slider for WooCommerce

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.53
Recommended Action: Update to version 2.3.53, or a newer patched version

Plugin: WordPress Webinar Plugin – WebinarPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Webinar Updates
Patched Version: 1.33.25
Recommended Action: Update to version 1.33.25, or a newer patched version

Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update
Patched Version: 1.17.6
Recommended Action: Update to version 1.17.6, or a newer patched version

Plugin: SKT Page Builder

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: Super Backup & Clone – Migrate for WordPress

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Searchie

Plugin: AyeCode Connect

Vulnerability: Missing Authorization
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Lemonade Social Networks Autoposter Pinterest

Plugin: WPMasterToolKit (WPMTK) – All in one plugin

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.14.0
Recommended Action: Update to version 1.14.0, or a newer patched version

Plugin: Services updates for customers

Plugin: FAQs

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: AI Magic – SEO Content Generator & Article Writer

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPSSO Core – Complete and Optimized Structured Data SEO

Vulnerability: Missing Authorization
Patched Version: 18.18.2
Recommended Action: Update to version 18.18.2, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Missing Authorization
Patched Version: 1.9.2.3
Recommended Action: Update to version 1.9.2.3, or a newer patched version

Plugin: AdWork Media EZ Content Locker

Plugin: Cost Calculator Builder PRO

Vulnerability: Unauthenticated SQL Injection via data
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Premium Blocks – Gutenberg Blocks for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.43
Recommended Action: Update to version 2.1.43, or a newer patched version

Plugin: 워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: Simple Proxy

Plugin: Unlimited Elements For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.5.136
Recommended Action: Update to version 1.5.136, or a newer patched version

Plugin: Multiple Shipping And Billing Address For Woocommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Image Hover Effects for Elementor

Plugin: WP SecureSubmit

Plugin: userpro-messaging

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
Patched Version: 2.10.44
Recommended Action: Update to version 2.10.44, or a newer patched version

Plugin: Contact Form 7 Redirect & Thank You Page

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Unlimited Theme Addon For Elementor and WooCommerce

Plugin: Muslim Prayer Time-Salah/Iqamah

Plugin: Royal Elementor Addons and Templates

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.1002
Recommended Action: Update to version 1.7.1002, or a newer patched version

Plugin: SyncFields

Plugin: Agency Toolkit

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Seraphinite Accelerator

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 2.22.16
Recommended Action: Update to version 2.22.16, or a newer patched version

Plugin: SlideDeck 1 Lite Content Slider

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Event Espresso – Event Registration & Ticketing Sales

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.31.decaf
Recommended Action: Update to version 5.0.31.decaf, or a newer patched version

Plugin: One to one user Chat by WPGuppy

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Vulnerability: Missing Authorization
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Dominion – Domain Checker for WPBakery

Plugin: Astra Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.16
Recommended Action: Update to version 1.2.16, or a newer patched version

Plugin: Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.8.9
Recommended Action: Update to version 3.8.9, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 1.7.1007
Recommended Action: Update to version 1.7.1007, or a newer patched version

Plugin: Floating Action Buttons

Vulnerability: Missing Authorization
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: SimplyRETS Real Estate IDX

Plugin: Arconix Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Page Builder by SiteOrigin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Row Label Parameter
Patched Version: 2.31.1
Recommended Action: Update to version 2.31.1, or a newer patched version

Plugin: ARPrice – WordPress Pricing Table Plugin

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin

Plugin: Bitly's WordPress Plugin

Plugin: AHAthat Plugin

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.19.3
Recommended Action: Update to version 3.19.3, or a newer patched version

Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Vulnerability: Missing Authorization to Unauthenticated Local PHP File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Author+) Arbitrary File Upload via gh_big_file_upload Function
Patched Version: 3.7.3.6
Recommended Action: Update to version 3.7.3.6, or a newer patched version

Plugin: linkID

Vulnerability: Missing Authorization to Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Allada T-shirt Designer for Woocommerce – Custom Product Designer for T-shirt personalization and design

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Remote Code Execution
Patched Version: 3.0.12
Recommended Action: Update to version 3.0.12, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unuathenticated Remote Code Execution
Patched Version: 4.24.14
Recommended Action: Update to version 4.24.14, or a newer patched version

Plugin: Piotnet Addons For Elementor

Plugin: Wayne Audio Player

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Locatoraid Store Locator

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.9.51
Recommended Action: Update to version 3.9.51, or a newer patched version

Plugin: Spoki – Chat Buttons and WooCommerce Notifications

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.15.16
Recommended Action: Update to version 2.15.16, or a newer patched version

Plugin: gap-hub-user-role.

Plugin: Accordion Slider Lite

Plugin: Perfect Portal Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: BSK Forms Blacklist

Plugin: WPMozo Addons Lite for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (contributor+) Stored Cross-Site Scripting via Button Link
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Themify Builder

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 7.6.5
Recommended Action: Update to version 7.6.5, or a newer patched version

Plugin: PlainInventory – Inventory Management Plugin

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: EditionGuard for WooCommerce – eBook Sales with DRM

Plugin: Kikx Simple Post Author Filter

Plugin: Contact Form 7 – Dynamic Text Extension

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.2
Recommended Action: Update to version 5.0.2, or a newer patched version

Plugin: ARPrice – WordPress Pricing Table Plugin

Plugin: Action Network

Plugin: GatorMail SmartForms

Plugin: Email Reminders

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Awesome Responsive Photo Gallery – Image & Video Lightbox Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: ShopElement

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.85
Recommended Action: Update to version 2.3.85, or a newer patched version

Plugin: SendSMS

Plugin: Widget Options – The #1 WordPress Widget & Block Control Plugin

Vulnerability: Missing Authorization
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: Contact Form Master – by Edmon

Plugin: WP Nice Loader

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter
Patched Version: 2.10.44
Recommended Action: Update to version 2.10.44, or a newer patched version

Plugin: WordPress Google Map Professional (Map In Your Language)

Plugin: Fantastic ElasticSearch

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.3.6
Recommended Action: Update to version 1.3.3.6, or a newer patched version

Plugin: Wp advertising management

Plugin: Post/Page Copying Tool to Export and Import post/page for Cross site Migration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: ARPrice – WordPress Pricing Table Plugin

Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Vulnerability: Authentication Bypass via pms_payment_id
Patched Version: 2.13.8
Recommended Action: Update to version 2.13.8, or a newer patched version

Plugin: WP eCommerce Quickpay

Plugin: Fancy Product Designer

Plugin: Simple Dashboard

Plugin: WPBITS Addons For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Pretty Simple Popup Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: ACH Invoicing Plugin

Plugin: Target Notifications

Plugin: GS Coaches

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: SSL Wireless SMS Notification

Plugin: Fancy Product Designer

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Push Notification for Post and BuddyPress

Plugin: WP Docs

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Super Backup & Clone – Migrate for WordPress

Vulnerability: Missing Authorization to Unauthenticated Back-Up File Download
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: News Kit Elementor Addons

Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter
Patched Version: 2.5.36
Recommended Action: Update to version 2.5.36, or a newer patched version

Plugin: Category Post Shortcode

Plugin: ACF City Selector

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.15.0
Recommended Action: Update to version 1.15.0, or a newer patched version

Plugin: WP Smart TV

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: HTML Forms – Simple WordPress Forms Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups

Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.15.2
Recommended Action: Update to version 3.15.2, or a newer patched version

Plugin: NAVER Analytics

Plugin: Clasify Classified Listing

Plugin: Shipping via Planzer for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via processed-ids
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version

Plugin: CodeBard Help Desk

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: 3DVieweronline

Plugin: Modula Image Gallery

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 2.11.11
Recommended Action: Update to version 2.11.11, or a newer patched version

Plugin: Saoshyant Element

Plugin: ARPrice – WordPress Pricing Table Plugin

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VRPConnector

Plugin: WordPress Webinar Plugin – WebinarPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation
Patched Version: 1.33.25
Recommended Action: Update to version 1.33.25, or a newer patched version

Plugin: 10CentMail

Plugin: Royal Elementor Addons and Templates

Vulnerability: Missing Authorization
Patched Version: 1.7.1002
Recommended Action: Update to version 1.7.1002, or a newer patched version

Plugin: SaasPricing – Pricing Table, Price list, Comparison Table for Elementor

Plugin: FV Descriptions

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Post Disclosure via Post Duplication
Patched Version: 1.4.6.3
Recommended Action: Update to version 1.4.6.3, or a newer patched version

Plugin: WPMasterToolKit (WPMTK) – All in one plugin

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 1.14.0
Recommended Action: Update to version 1.14.0, or a newer patched version

Plugin: Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.21
Recommended Action: Update to version 1.3.21, or a newer patched version

Plugin: WPMozo Addons Lite for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross-Site Scripting
Patched Version: 9.0.1
Recommended Action: Update to version 9.0.1, or a newer patched version

Plugin: JSP Store Locator

Vulnerability: Cross-Site Request Forgery to Store Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Simple Sitemap

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.