Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: We’re Open!
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.38
Recommended Action: Update to version 1.38, or a newer patched version
Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
Vulnerability: Cross-Site Request Forgery in new_voucher_template.php
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version
Plugin: MOLIE – Instructure Canvas Linking tool
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Socializer – Simple & Easy Social Media Share Icons
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: BuddyPress
Vulnerability: Authorization Bypass to Private Message Disclosure
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version
Plugin: User Activity Log
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: WidgetShortcode
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: SQL Injection
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.24.4
Recommended Action: Update to version 1.24.4, or a newer patched version
Plugin: Backup Migration
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Live Scores for SportsPress
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Header Footer Code Manager
Vulnerability: Authenticated SQL Injections
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version
Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks
Vulnerability: Race Condition to Multiple User Voting
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: AccessPress Social Icons
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: WP-DBManager
Vulnerability: Authenticated (Admin+) Remote Code Execution on Multi-Site
Patched Version: 2.80.8
Recommended Action: Update to version 2.80.8, or a newer patched version
Plugin: WP-Contact
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Slider
Vulnerability: Subscriber+ SQL Injection
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: Password Hash Extraction
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version
Plugin: Edit Comments XT
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version
Plugin: iPanorama 360 – Advanced Virtual Tour Builder
Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Catch Themes Demo Import
Vulnerability: Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Timely All-in-One Events Calendar
Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Titan Framework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Cross-Linker
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: SearchWP Premium
Vulnerability: Authenticated (Subscriber+) Nonce Leakage and Authorization Bypass
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Unauthorized Profile Modification
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version
Plugin: PowerPress Podcasting plugin by Blubrry
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version
Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability: Cross-Site Scripting via p_name parameter
Patched Version: 1.5.63
Recommended Action: Update to version 1.5.63, or a newer patched version
Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
Vulnerability: Missing Authorization
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Missing Authorization to Product Creation/Modification
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: Woocommerce Tabs Plugin, Add Custom Product Tabs
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-ContactForm
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version
Plugin: WF Cookie Consent
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Math Comment Spam Protection
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Blaze Slideshow
Vulnerability: Arbitrary File upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.33
Recommended Action: Update to version 1.2.33, or a newer patched version
Plugin: Facebook for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version
Plugin: WP Maps – Display Google Maps Perfectly with Ease
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: BlogVault WordPress Backup Plugin – Migration, Staging, and Backups
Vulnerability: 1.44
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version
Core: WordPress
Vulnerability: SQL Injection via WP_Meta_Query
Patched Version: 4.1.34
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3
Plugin: Easy Digital Downloads – Simple Shipping
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Sitekit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe’ shortcode
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Free counter
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: VK Filter Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms
Vulnerability: Kali Forms <= 2.3.36
Patched Version: 2.3.37
Recommended Action: Update to version 2.3.37, or a newer patched version
Plugin: Visual Link Preview
Vulnerability: Unauthorised AJAX Calls
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: JS Job Manager
Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Restaurant Menu – Food Ordering System – Table Reservation
Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: PDQ CSV
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Subscribe To Comments Reloaded
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 140219
Recommended Action: Update to version 140219, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Local File Inclusion
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: Leyka
Vulnerability: Privilege Escalation via Admin Password Reset
Patched Version: 3.30.3
Recommended Action: Update to version 3.30.3, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.5.3.2
Recommended Action: Update to version 1.5.3.2, or a newer patched version
Plugin: Category Post List Widget
Vulnerability: Unauthenticated Stored Cross-Site Scripting via custom_css
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: The Awesome Feed – Custom Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Smart Slider 3
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1.14
Recommended Action: Update to version 3.5.1.14, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Missing Authorization on Various AJAX Actions
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version
Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version
Plugin: Bloom Email Opt-In
Vulnerability: Privilege Escalation
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Ideal Interactive Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easing Slider
Vulnerability: Cross-Site Scripting
Patched Version: 2.2.0.7
Recommended Action: Update to version 2.2.0.7, or a newer patched version
Plugin: MemberPress Downloads
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Recipe Cards For Your Food Blog from Zip Recipes
Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version
Plugin: JM Twitter Cards
Vulnerability: Full Path Disclosure
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version
Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Ruven Toolkit
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IP Blacklist Cloud
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooDiscuz – WooCommerce Comments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Companion Sitemap Generator – HTML & XML
Vulnerability: Cross-Site Request Forgery and Local File Inclusion
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Vulnerability: Stored Cross Site Scripting
Patched Version: 3.1.28
Recommended Action: Update to version 3.1.28, or a newer patched version
Plugin: Simple Custom CSS and JS
Vulnerability: Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Dynamics 365 Integration
Vulnerability: Missing Authorization via init
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Missing Authorization to Information Exposure
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version
Plugin: WPForms Pro
Vulnerability: CSV Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: Image vertical reel scroll slideshow
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version
Plugin: Clipr
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Admin Language Change
Vulnerability: Authorization Bypass
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Product Input Fields for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: JetBackup – WP Backup, Migrate & Restore
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.7.25
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.25, 3.8.25, 3.9.23, 4.0.22, 4.1.22, 4.2.19, 4.3.15, 4.4.14, 4.5.13, 4.6.10, 4.7.9, 4.8.5, 4.9.2
Plugin: Safe SVG
Vulnerability: Denial of Service
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Privilege Escalation
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Mingle Forum
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version
Plugin: Indeed Membership Pro
Vulnerability: Remote Image File Inclusion
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Plaintext Storage of Credentials
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: Maspik – Advanced Spam Protection
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.9
Recommended Action: Update to version 0.7.9, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version
Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View
Vulnerability: Cross-Site Request Forgery via wpstream_settings
Patched Version: 4.4.10.6
Recommended Action: Update to version 4.4.10.6, or a newer patched version
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Deletion
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version
Plugin: WordPress Leads
Vulnerability: Authorization Bypass
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: WPAMS – Apartment Management System for wordpress
Vulnerability: Apartment Management System for wordpress Theme < 17-07-2019
Patched Version: 17-07-2019
Recommended Action: Update to version 17-07-2019, or a newer patched version
Plugin: Car Rental by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: SQL Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: BJ Lazy Load
Vulnerability: Remote File Inclusion via TimThumb
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version
Plugin: YouSayToo auto-publishing plugin
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Builder by Themify
Vulnerability: Email Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: WP phpMyAdmin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.0.4
Recommended Action: Update to version 5.2.0.4, or a newer patched version
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: Contact Form 7 <= 1.3.3.2
Patched Version: 1.3.3.3
Recommended Action: Update to version 1.3.3.3, or a newer patched version
Plugin: Bubble Menu – Sticky Navigation with Floating Button Menu Solution
Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Core: WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_save_settings_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WP Reset – Most Advanced WordPress Reset Tool
Vulnerability: Authenticated Stored Cross-Site Scripting via extra_data Parameter
Patched Version: 1.90
Recommended Action: Update to version 1.90, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version
Plugin: WP Booklet
Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: TS Webfonts for さくらのレンタルサーバ
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version
Plugin: Simple Ads Manager
Vulnerability: Unauthenticated PHP Objection Injection
Patched Version: 2.10.0.130
Recommended Action: Update to version 2.10.0.130, or a newer patched version
Plugin: Gallery – Video Gallery and YouTube Gallery
Vulnerability: Video Gallery and YouTube Gallery <= 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Comment Uploaded Image Filename
Patched Version: 7.6.12
Recommended Action: Update to version 7.6.12, or a newer patched version
Plugin: RSVPMaker
Vulnerability: Server-Side Request Forgery
Patched Version: 8.7.4
Recommended Action: Update to version 8.7.4, or a newer patched version
Plugin: ChatBot Conversational Forms
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking
Vulnerability: Arbitrary File Upload
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Plugin: WORDPRESS VIDEO GALLERY
Vulnerability: Improper Access Control
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Subscriber+ Arbitrary File Creation/Upload/Deletion
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version
Plugin: MyBookTable Bookstore by Stormhill Media
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.21
Recommended Action: Update to version 11.21, or a newer patched version
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: PHP Object Injection
Patched Version: 6.9.4
Recommended Action: Update to version 6.9.4, or a newer patched version
Plugin: Asgaros Forum
Vulnerability: Unauthenticated PHP Object Injection in prepare_unread_status
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version
Plugin: Easy Contact Form Solution
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Property Hive
Vulnerability: Remote Code Execution
Patched Version: 1.4.26
Recommended Action: Update to version 1.4.26, or a newer patched version
Plugin: Updraft
Vulnerability: Reflected Cross-Site Scripting via ‘backup_timestamp’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: YouTube Playlist Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.8
Recommended Action: Update to version 4.6.8, or a newer patched version
Plugin: WooCommerce Easy Duplicate Product
Vulnerability: Missing Authorization via wedp_duplicate_product_action
Patched Version: 0.3.0.8
Recommended Action: Update to version 0.3.0.8, or a newer patched version
Plugin: Filr – Secure document library
Vulnerability: Missing Authorization
Patched Version: 1.2.2.1
Recommended Action: Update to version 1.2.2.1, or a newer patched version
Plugin: KP Fastest Tawk.to Chat
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AS – Create Pinterest Pinboard Pages
Vulnerability: Authenticated Options Change to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Essential Grid Portfolio – Photo Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: PhotoXhibit
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Cross-Site Scripting
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_bulk_activate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: WP Admin UI Customize
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version
Plugin: WP Google Fonts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: ElasticPress
Vulnerability: Directory Traversal
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: CatalogX – Product Catalog Mode For WooCommerce
Vulnerability: Missing Authorization
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version
Plugin: Sensei LMS – Online Courses, Quizzes, & Learning
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.18.0
Recommended Action: Update to version 4.18.0, or a newer patched version
Plugin: OpenInviter for WordPress
Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PowerPress Podcasting plugin by Blubrry
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info
Patched Version: 11.0.7
Recommended Action: Update to version 11.0.7, or a newer patched version
Plugin: WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: WP GDPR
Vulnerability: Missing Authorization Checks
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Time Slots Booking Form
Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.1.77
Recommended Action: Update to version 1.1.77, or a newer patched version
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.9.6
Recommended Action: Update to version 8.9.6, or a newer patched version
Plugin: Credova Financial
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version
Plugin: JivoChat Live Chat – WP live chat plugin for WordPress
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.5.4
Recommended Action: Update to version 1.3.5.4, or a newer patched version
Plugin: Read More Excerpt Link
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in admin_widgets_welcome function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: GigPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Daily Inspiration Generator
Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ND Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.6
Recommended Action: Update to version 6.6, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: SQL Injection
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: WordPress Social Comments Plugin for Vkontakte Comments and Disqus Comments
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Fix My Feed RSS Repair
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Google Analytics
Patched Version: 8.9.1
Recommended Action: Update to version 8.9.1, or a newer patched version
Plugin: WP Airbnb Review Slider
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Authentication Bypass
Patched Version: 3.7.1.6
Recommended Action: Update to version 3.7.1.6, or a newer patched version
Plugin: Gravity Forms
Vulnerability: SQL Injection
Patched Version: 1.9.3.6
Recommended Action: Update to version 1.9.3.6, or a newer patched version
Plugin: Visual Email Designer for WooCommerce
Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: AJAX Thumbnail Rebuild
Vulnerability: Missing Authorization
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version
Plugin: CRM WordPress Plugin – RepairBuddy
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: DTracker
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: e-signature
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 1.5.6.8
Recommended Action: Update to version 1.5.6.8, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version
Plugin: Twitch Player
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Site Reviews
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version
Plugin: Custom Product Tabs for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: WP Dialog
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VK Blocks Pro
Vulnerability: Stored (Contributor+) Cross-Site Scripting in Post
Patched Version: 1.54.0
Recommended Action: Update to version 1.54.0, or a newer patched version
Plugin: Zero Spam for WordPress
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.6.2
Recommended Action: Update to version 2.2.6.2, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Stored Cross-Site Scripting via Profile
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version
Plugin: WooCommerce Warranty Requests
Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: WordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & Rankings
Vulnerability: Cross Site Request Forgery
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: E2Pdf – Export Pdf Tool for WordPress
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.20.26
Recommended Action: Update to version 1.20.26, or a newer patched version
Plugin: Map Block for Google Maps
Vulnerability: Unprotected AJAX Action
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version
Plugin: WP Bootstrap Gallery
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HMS Testimonials
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version
Plugin: Contact Form for WordPress – Ultimate Form Builder Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_duplicate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: Document Embedder – Document Embedder Plugin
Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Weather Effect – Christmas, Santa, Snow Falling, Snowflake Effect
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Reflected Cross-Site Scripting via error message
Patched Version: 4.11.0
Recommended Action: Update to version 4.11.0, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Parameter Tampering
Patched Version: 3.2.15
Recommended Action: Update to version 3.2.15, or a newer patched version
Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting via Site Search
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version
Plugin: Hide My WP – Amazing Security Plugin for WordPress!
Vulnerability: SQL Injection
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via filenames
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5
Plugin: WordPress NextGen GalleryView
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: WooCommerce Customers Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 26.6
Recommended Action: Update to version 26.6, or a newer patched version
Plugin: mini-cart
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Five Star Restaurant Menu and Food Ordering
Vulnerability: Cross-Site Request Forgery via maybe_duplicate_item
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: Live Chat by Formilla – Real-time Chat & Chatbots Plugin
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting via CSS
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1
Plugin: underConstruction
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.21
Recommended Action: Update to version 1.21, or a newer patched version
Plugin: WP Comment Remix
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: BuddyPress
Vulnerability: Authorization Bypass to Friend Invite
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Cross-Site Scripting
Patched Version: 4.1.6.1
Recommended Action: Update to version 4.1.6.1, or a newer patched version
Plugin: Dave's WordPress Live Search
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Unite Gallery Lite
Vulnerability: Cross-Site Request Forgery & Authenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Maps Widget for Google Maps
Vulnerability: Cross-Site Request Forgery via dismiss_notice
Patched Version: 4.24
Recommended Action: Update to version 4.24, or a newer patched version
Plugin: Slideshow SE
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection
Vulnerability: Open Redirection via redirect_to_https
Patched Version: 8.1.5
Recommended Action: Update to version 8.1.5, or a newer patched version
Plugin: WPSOLR – Elasticsearch and Solr search
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version
Plugin: Request a Quote
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Ultimate Form Builder <= 8.3.2
Patched Version: 8.3.3
Recommended Action: Update to version 8.3.3, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross-Site Request Forgery via migrateCommonToProductOnly function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Builder forms Addon For WordPress <= 5.4
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Captcha by BestWebSoft – Spam Protection, Security Plugin for WordPress Forms
Vulnerability: CAPTCHA Bypass
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Falang multilanguage for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Reflected Cross-Site Scripting via ‘delete_mobile’
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Sensitive Information Disclosure
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting and Settings Reset
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version
Plugin: Tooltipy (tooltips for WP)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Chaty <= 3.0.2
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: NewStatPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: Culture Object
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Advance Menu Manager
Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: Compfight
Vulnerability: Cross-Site Scrpting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Arbitrary File Upload
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: Better Click To Tweet
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.10.4
Recommended Action: Update to version 5.10.4, or a newer patched version
Plugin: Portable phpMyAdmin
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Sharebar
Vulnerability: SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Call Now Accessibility Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Core: WordPress
Vulnerability: Type Confusion
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.14, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4
Plugin: WatchTowerHQ
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 3.6.16
Recommended Action: Update to version 3.6.16, or a newer patched version
Plugin: Category Post List Widget
Vulnerability: Cross-Site Request Forgery via get_cplw_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NewStatPress
Vulnerability: SQL Injection
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Broken Link Manager
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version
Plugin: WP BrowserUpdate
Vulnerability: Cross-Site Request Forgery via wpbu_administration
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Internal Links Manager
Vulnerability: Multiple Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Recommended Products – EDD
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3.3
Recommended Action: Update to version 1.2.3.3, or a newer patched version
Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Table of Contents Plus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2309
Recommended Action: Update to version 2309, or a newer patched version
Plugin: Avada (Fusion) Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: GDPR Compliance & Cookie Consent
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: demon image annotation
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: WordPress NextGen GalleryView
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jquery accordion slideshow
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version
Core: WordPress
Vulnerability: SQL Injection
Patched Version: 0.72
Recommended Action: Update to version 0.72, or a newer patched version
Plugin: Simple SEO
Vulnerability: Cross-Site Request Forgery via multiple admin_post functions
Patched Version: 2.0.26
Recommended Action: Update to version 2.0.26, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: 2.0.15
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version
Plugin: Webriti SMTP Mail
Vulnerability: Cross-Site Request Forgery to options update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Showbiz Pro Responsive Teaser WordPress Plugin
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DrawBlog
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.81
Recommended Action: Update to version 0.81, or a newer patched version
Plugin: Product Filter for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Cross Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Content Cards
Vulnerability: Cross-Site Scripting
Patched Version: 0.9.7
Recommended Action: Update to version 0.9.7, or a newer patched version
Plugin: wp-forecast
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0
Recommended Action: Update to version 8.0, or a newer patched version
Plugin: Media File Manager
Vulnerability: Directory Traversal to Directory Listing
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: firestats
Vulnerability: Remote File Inclusion
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Thumbnail Slider With Lightbox
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: EZP Coming Soon Page
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.0.74
Recommended Action: Update to version 1.0.74, or a newer patched version
Plugin: Booking Calendar Contact Form
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Patched Version: 1.2.35
Recommended Action: Update to version 1.2.35, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.62
Recommended Action: Update to version 4.62, or a newer patched version
Plugin: Disable User Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: WP Dummy Content Generator
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Quick Restaurant Menu
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: CALL ME NOW
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: LDAP Passback
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Core: WordPress
Vulnerability: Hash Collision
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1
Plugin: Portfolio Gallery
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Optima Express + MarketBoost IDX Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version
Plugin: underConstruction
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.19
Recommended Action: Update to version 1.19, or a newer patched version
Plugin: myftp-ftp-like-plugin-for-wordpress
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.15.19
Recommended Action: Update to version 1.15.19, or a newer patched version
Plugin: Publish Confirm Message
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Pipdig Power Pack (P3)
Vulnerability: Backdoor
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version
Plugin: s2Framework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Media Library Assistant
Vulnerability: Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version
Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors
Vulnerability: Missing Authorization to Redirect Creation
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: PDF & Print by BestWebSoft – WordPress Posts and Pages PDF Generator Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: MainWP Wordfence Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: VikRentCar Car Rental Management System
Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: VK Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block
Patched Version: 1.64.0.0
Recommended Action: Update to version 1.64.0.0, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Text Editor
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version
Plugin: Comment Rating
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Top Bar
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: wSecure Lite
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: DSGVO All in one for WP
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Advanced Local Pickup for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Lazy Load
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version
Plugin: Campaign URL Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Create Link
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Autotitle for WordPress
Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Rezgo Online Booking
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Telephone Number Linker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Link Juice Keeper
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Audio Merchant
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Facebook Members
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: WP Media Cleaner
Vulnerability: Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: WooCommerce Square
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: WPML
Vulnerability: Cross-Site Scripting in Accept-Language Header
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: Export All URLs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Plugin: Form Vibes – Database Manager for Forms
Vulnerability: Authenticated (Admininstrator+) SQL Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Download Manager
Vulnerability: Missing Authorization
Patched Version: 3.1.18
Recommended Action: Update to version 3.1.18, or a newer patched version
Plugin: Admin Columns
Vulnerability: No subtitle
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: ADIF Log Search Widget
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEOPress – On-site SEO
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.0.3
Recommended Action: Update to version 6.5.0.3, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Arbitrary File Upload
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Scoutnet Kalender
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Videos sync PDF
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Recip.ly Plugin
Vulnerability: Unauthenticated Arbitrary File Upload in uploadImage.php
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 0.5.28
Recommended Action: Update to version 0.5.28, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Cross-Site Scripting via LaTeX markup within HTML elements
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: Breadcrumbs by menu
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads
Vulnerability: Arbitrary Post Deletion
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Cross-Site Request Forgery
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version
Plugin: Appointment Calendar
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Open Redirect via atkpout.php
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Panda Pods Repeater Field
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: WP-Testimonials
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: SQL Injection
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.0.2
Recommended Action: Update to version 1.6.0.2, or a newer patched version
Plugin: Tickera – WordPress Event Ticketing
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.4.8.3
Recommended Action: Update to version 3.4.8.3, or a newer patched version
Plugin: Vertical marquee plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portfolio Responsive Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pagebar2
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: 2.66
Recommended Action: Update to version 2.66, or a newer patched version
Core: WordPress
Vulnerability: Sensitive Information Disclosure
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Stock Ticker
Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_load
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version
Plugin: ALO EasyMail Newsletter
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version
Plugin: Realia
Vulnerability: Cross-Site Request Forgery to User Email Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DeepL API translation plugin
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Ultimate Taxonomy Manager
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: visitor-maps
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.8.7
Recommended Action: Update to version 1.5.8.7, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: Blind SQL Injection
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: Rich Counter
Vulnerability: JavaScript Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Youtube Channel Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Connections Business Directory
Vulnerability: Cross-Site Scripting
Patched Version: 8.5.9
Recommended Action: Update to version 8.5.9, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Chaty <= 2.8.2 Reflected Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: WhyDoWork AdSense
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kanban Boards for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: Gutenberg Block Editor Toolkit – EditorsKit
Vulnerability: Authenticated (Contributor+) Code Injection
Patched Version: 1.31.6
Recommended Action: Update to version 1.31.6, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Yatra – Tour and Travel Booking Solution
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version
Plugin: MainWP Broken Link Checker
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redux Framework
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.21
Recommended Action: Update to version 4.1.21, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Missing Authorization Checks
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version
Plugin: WP eCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 3.8.9.1
Recommended Action: Update to version 3.8.9.1, or a newer patched version
Plugin: MailPoet – Newsletters, Email Marketing, and Automation
Vulnerability: Reflected Cross-Site Scripting via URL parameter
Patched Version: 3.23.2
Recommended Action: Update to version 3.23.2, or a newer patched version
Plugin: Membership Simplified
Vulnerability: SQL Injection
Patched Version: 1.58
Recommended Action: Update to version 1.58, or a newer patched version
Plugin: Who Hit The Page – Hit Counter
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Configurable Tag Cloud (CTC)
Vulnerability: Cross-Site Request Forgery via ctc_options_page()
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version
Plugin: File Manager
Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version
Plugin: UTM Tracker
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Authenticated Cross-Site Scripting in Youtube URL Embeds
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3
Plugin: Smart SEO Tool – SEO优化插件
Vulnerability: Cross-Site Request Forgery via ‘wp_ajax_wb_smart_seo_tool’
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Custom Field Suite
Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Web3 – Crypto wallet Login & NFT token gating
Vulnerability: Authentication Bypass
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.62
Recommended Action: Update to version 3.2.62, or a newer patched version
Plugin: WP Users Media
Vulnerability: Cross-Site Request Forgery in wpusme_save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gecka Terms Thumbnails
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Note Press
Vulnerability: SQL Injection
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version
Plugin: Image Slider by NextCode – Photo & Video Slider
Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Zedna eBook download
Vulnerability: Directory Traversal
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Reflected Cross-Site Scripting via message_id
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Two-factor authentication (formerly IP Vault)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: LearnDash LMS
Vulnerability: Reflected Cross Site Scripting issue on the [ld_profile] search field
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Insert Special Characters
Vulnerability: Improper Input Validation
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Meow Gallery
Vulnerability: SQL Injection
Patched Version: 4.1.9
Recommended Action: Update to version 4.1.9, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: AdRotate Banner Manager – The only ad manager you'll need
Vulnerability: Authenticated Stored Cross-Site Scripting via Group Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Sensitive Data Exposure
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Authenticated (Contributor+) Blind SQL Injection via Shortcode
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.7
Recommended Action: Update to version 5.6.7, or a newer patched version
Plugin: WP Human Resource Management
Vulnerability: Sensitive Information Disclosure
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Crafty Social Buttons
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: CopySafe Web Protection
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.21.83
Recommended Action: Update to version 4.21.83, or a newer patched version
Plugin: Block wp-login
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: Membership Database
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Directory Traversal
Patched Version: 0.8.9.6
Recommended Action: Update to version 0.8.9.6, or a newer patched version
Plugin: Custom Post Type UI
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: User Enumeration Bypass
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version
Plugin: Patreon WordPress
Vulnerability: Local File Disclosure
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Tab Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: Opensea
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: PictoBrowser
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Vulnerability: Authenticated Stored Cross-Site scripting via FB Pixel ID and Google Analytics ID
Patched Version: 1.6.13
Recommended Action: Update to version 1.6.13, or a newer patched version
Core: WordPress MU
Vulnerability: Arbitrary File Upload
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Emails & Newsletters with Jackmail
Vulnerability: Authenticated (Subscriber+) CSV Injecton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Syncee Collective Dropshipping
Vulnerability: Missing Authorization.
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Open User Map
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.27
Recommended Action: Update to version 1.3.27, or a newer patched version
Plugin: Social Buttons Pack by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: JS Multi Hotel
Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Vulnerability: Missing Authorization via save_ditty_permissions_check
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: WPML
Vulnerability: SQL Injection via lang Parameter
Patched Version: 3.1.9.1
Recommended Action: Update to version 3.1.9.1, or a newer patched version
Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version
Plugin: WP-Lister Lite for Amazon
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: WP Booking Calendar
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 9.7.4
Recommended Action: Update to version 9.7.4, or a newer patched version
Plugin: WP FEvents Book
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcode IMDB
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ooorl
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BulletProof Security
Vulnerability: Cross-Site Scripting
Patched Version: .51.1
Recommended Action: Update to version .51.1, or a newer patched version
Plugin: WooCommerce Subscription
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version
Plugin: WP Hide & Security Enhancer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Sermon’e – Sermons Online
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Menu – Create Mobile-Friendly Menu
Vulnerability: Cross-Site Request Forgery to Setting Modification
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: Generate Images (AI) – Magic Post Thumbnail
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version
Plugin: User Meta – User Profile Builder and User management plugin
Vulnerability: Arbitrary File Upload
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Global Flash Gallery
Vulnerability: SQL Injection
Patched Version: 0.15.2
Recommended Action: Update to version 0.15.2, or a newer patched version
Plugin: Gallery PhotoBlocks
Vulnerability: Missing Authorization Checks
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Authentication Bypass
Patched Version: 7.6.5
Recommended Action: Update to version 7.6.5, or a newer patched version
Plugin: Ninja Forms – File Uploads
Vulnerability: File Uploads <= 3.0.22
Patched Version: 3.0.23
Recommended Action: Update to version 3.0.23, or a newer patched version
Plugin: WP Mail
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: Hide Login Page Feature Protection Bypass
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: WP Simple Adsense Insertion
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Coditor – Code Editor
Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Booking Price Manipulation via bookingpress_confirm_booking
Patched Version: 1.0.75
Recommended Action: Update to version 1.0.75, or a newer patched version
Plugin: White Label CMS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Core: WordPress MU
Vulnerability: Username Enumeration
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Clockwork SMS Notfications
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image horizontal reel scroll slideshow
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.3
Recommended Action: Update to version 13.3, or a newer patched version
Plugin: Login for Google Apps
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Missing Authorization to Arbitrary Options Update
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version
Plugin: Optimize Database after Deleting Revisions
Vulnerability: Missing Authorization via ‘odb_csv_download’
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Easy Digital Downloads – htaccess Editor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Autoptimize
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version
Plugin: WP Marketplace – Complete Shopping Cart / eCommerce Solution
Vulnerability: Arbitrary File Download
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 11.14
Recommended Action: Update to version 11.14, or a newer patched version
Plugin: Gallery – Image and Video Gallery with Thumbnails
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Team Members
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘rawdata’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: eShop
Vulnerability: Cross-Site Scripting
Patched Version: 6.3.12
Recommended Action: Update to version 6.3.12, or a newer patched version
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.15.0
Recommended Action: Update to version 2.15.0, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.8.4.3
Recommended Action: Update to version 1.8.4.3, or a newer patched version
Plugin: f(x) TOC
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Pipes
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Survey Maker
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Gmedia Photo Gallery
Vulnerability: Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Product Catalog Feed by PixelYourSite
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: 3DPrint
Vulnerability: Cross-Site Request Forgery to Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: License Manager for WooCommerce
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version
Plugin: AMP for WP – Accelerated Mobile Pages
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.77.32
Recommended Action: Update to version 1.0.77.32, or a newer patched version
Plugin: WordPress Slider Block Gutenslider
Vulnerability: Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: Any Hostname
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
Vulnerability: Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery via ‘wpfc_clear_cache_of_allsites_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Live Composer – Free WordPress Website Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.24
Recommended Action: Update to version 1.5.24, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: Login Lockdown & Protection
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.07
Recommended Action: Update to version 2.07, or a newer patched version
Plugin: Ebook Store
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.78
Recommended Action: Update to version 5.78, or a newer patched version
Plugin: cformsII
Vulnerability: Unauthenticated stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: nextgen-smooth-gallery
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Cross-Site Scripting via MediaElement.js
Patched Version: 3.7.14
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.14, 3.8.14, 3.9.12, 4.0.11, 4.1.11, 4.2.8, 4.3.4, 4.4.3, 4.5.2
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.59
Recommended Action: Update to version 1.6.59, or a newer patched version
Plugin: MainWP Maintenance Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Core: WordPress
Vulnerability: SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: WordPress Contact Forms by Cimatti
Vulnerability: Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: Chilexpress woo oficial
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Collapse-O-Matic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Simple Share Buttons Adder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.25.6
Recommended Action: Update to version 1.25.6, or a newer patched version
Plugin: WordPress Tables
Vulnerability: Reflected Cross-Site Scripting via error_msg
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RSSImport
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login and Logout Redirect
Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store
Vulnerability: Missing Authorization via ‘putler_connector_sync_complete’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version
Plugin: ActiveCampaign for WooCommerce
Vulnerability: Missing Authorization to Error Log Deletion
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: PHP Object Injection
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: Back In Stock Notifier for WooCommerce | Manage Inventory and Waitlist Product for WooCommerce
Vulnerability: Missing Authorization via API
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Complete Gallery Manager for WordPress | Galleries
Vulnerability: Arbitrary File Upload
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version
Plugin: WP-FlyBox
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.45
Recommended Action: Update to version 7.13.45, or a newer patched version
Plugin: WP Report Post
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version
Plugin: Featured Image from URL (FIFU)
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version
Plugin: Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Email Encoder – Protect Email Addresses and Phone Numbers
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Authors List
Vulnerability: Reflected Cross-Site Scripting via al_id
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: article2pdf
Vulnerability: Denial of Service
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 123.chat – 1:1 Live Video Chat Tool Plugin
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Chaty <= 3.1.1
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Core: WordPress
Vulnerability: Authentication Bypass
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Gwyn’s Imagemap Selector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress prettyPhoto
Vulnerability: DOM Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: WP Rollback – Rollback Plugins and Themes
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Email Template Designer – WP HTML Mail
Vulnerability: Missing Authorization on Rest Route
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Portfolio Gallery – Photo Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: FlagEm
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wordpress plugin rockhoist-badges
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection
Vulnerability: Sensitive Information Exposure via Diff Response
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version
Plugin: Display Data on your site! Create Dynamic Content Templates from any form of data. Works with ACF, Pods, BuddyPress/ BuddyBoss
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: HDW Player Plugin (Video Player & Video Gallery)
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Automatic YouTube Gallery
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Cross-Site Request Forgery via admin_galleries
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: a3 Portfolio
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Contact Forms – Drag & Drop Contact Form Builder
Vulnerability: Drag & Drop Contact Form Builder <= 1.0.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Tape
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pay With Tweet
Vulnerability: Authenticated SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Countdown Block
Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version
Plugin: Corner Ad
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.57
Recommended Action: Update to version 1.0.57, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Scripting
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version
Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Access Code Feeder
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI Engine
Vulnerability: Authenticated(Editor+) Arbitrary File Upload via add_image_from_url
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds
Vulnerability: SQL Injection
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Insufficient Access Control to Template Activation
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version
Plugin: CF7 Invisible reCAPTCHA
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Mega Menu Plugin for WordPress – AP Mega Menu
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: a3 Responsive Slider
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: wp-media-player
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spot.IM Comments
Vulnerability: Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: WP JS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Admin and Site Enhancements (ASE)
Vulnerability: Password Protection Mode Security Feature Bypass
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version
Plugin: Post Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.31
Recommended Action: Update to version 1.1.31, or a newer patched version
Core: WordPress
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Gmedia Photo Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Advanced Product Labels for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.3.7
Recommended Action: Update to version 1.2.3.7, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Authorization Bypass to Arbitrary File Upload/Delete
Patched Version: 1.0.84
Recommended Action: Update to version 1.0.84, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Cross-Site Request Forgery via delete
Patched Version: 6.2.0.0
Recommended Action: Update to version 6.2.0.0, or a newer patched version
Plugin: EmbedSocial – Social Media Feeds, Reviews and Galleries
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.28
Recommended Action: Update to version 1.1.28, or a newer patched version
Plugin: Booster Plus for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: article2pdf
Vulnerability: 0.27
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Thinkun Remind
Vulnerability: Directory Traversal
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Sharebar
Vulnerability: Cross-Site Request Forgery to Settings Update & Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ibtana – WordPress Website Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2.1
Recommended Action: Update to version 1.2.2.1, or a newer patched version
Plugin: Code Snippets
Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 2.14.0
Recommended Action: Update to version 2.14.0, or a newer patched version
Plugin: Magn WP Drag And Drop Media Uploader
Vulnerability: Arbitrary File Upload
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Structured Content (JSON-LD) #wpsc
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Quiz Maker
Vulnerability: SQL Injection
Patched Version: 6.2.0.9
Recommended Action: Update to version 6.2.0.9, or a newer patched version
Plugin: Advanced Local Pickup for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: WP Super Popup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Continuous Image Carousel With Lightbox
Vulnerability: Reflected Cross-Site Scripting via search_term, order_by and order_pos
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: jQuery T(-) Countdown Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.3.24
Recommended Action: Update to version 2.3.24, or a newer patched version
Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin
Vulnerability: Directory Traversal to Information Exposure
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version
Plugin: Xerte Online
Vulnerability: Arbitrary File Upload
Patched Version: 0.36
Recommended Action: Update to version 0.36, or a newer patched version
Plugin: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Core: WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.24
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.24, 3.8.24, 3.9.22, 4.0.21, 4.1.21, 4.2.18, 4.3.14, 4.4.13, 4.5.12, 4.6.9, 4.7.8, 4.8.4, 4.9.1
Plugin: File Gallery
Vulnerability: Reflected Cross-Site Scripting via post_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Blue Wrench Video Widget
Vulnerability: Cross-Site Request Forgery and to Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: GD Mail Queue
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Quick Page/Post Redirect Plugin
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: Geo Mashup
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Up down image slideshow gallery
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version
Plugin: BSK PDF Manager
Vulnerability: Authenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: WPGateway
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version
Plugin: Guest Author
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Add Shortcodes Actions And Filters
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LiveChat – WP live chat plugin for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.16
Recommended Action: Update to version 4.5.16, or a newer patched version
Plugin: Easy Modal
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Pods – Custom Content Types and Fields
Vulnerability: Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 8.5
Recommended Action: Update to version 8.5, or a newer patched version
Plugin: IP2Location Country Blocker
Vulnerability: Ban Bypass
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Multiple Cross-Site Request Forgery vulnerabilities
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version
Plugin: flickrRSS
Vulnerability: Cross-Site Scripting via flickrRSS_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Eventify™ – Simple Events
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ajax-random-post
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Title Field Validation
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes by Angie Makes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version
Plugin: WP Clone Menu
Vulnerability: Missing Authorization to Menu Clone
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GNUCommerce
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: 5 Anker Connect
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: TK Google Fonts GDPR Compliant
Vulnerability: Missing Authorization to Font Deletion
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version
Plugin: Ajax Pagination and Infinite Scroll
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YITH WooCommerce Waitlist
Vulnerability: Cross-Site Request forgery via ‘save_mail_status’
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘redirectionPageContent’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: tencentcloud-cos
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_move_object
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Product Code for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Missing Authorization via get
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Custom Header Images
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Broken Link Manager
Vulnerability: Cross-Site Scripting
Patched Version: 0.5.0
Recommended Action: Update to version 0.5.0, or a newer patched version
Plugin: lastfm-rotation
Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Call Now Button – The #1 Click to Call Button for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Support Board
Vulnerability: Authenticated SQL Injection
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.3.24
Recommended Action: Update to version 4.3.24, or a newer patched version
Plugin: Predictive Search for WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: sourceAFRICA
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Timeline – Vertical Timeline
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup by Supsystic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.5
Recommended Action: Update to version 1.10.5, or a newer patched version
Plugin: WP Register Profile With Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: Unite Gallery Lite
Vulnerability: Authenticated(Administrator+) Local File Inclusion via ‘view’ parameter
Patched Version: 1.7.60
Recommended Action: Update to version 1.7.60, or a newer patched version
Plugin: Wise Agent Lead Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: CYSTEME Finder, the admin files explorer
Vulnerability: Arbitrary File Upload/Read
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Featured Image Caption
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.8.11
Recommended Action: Update to version 0.8.11, or a newer patched version
Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
Vulnerability: Tables & Table Charts <= 2.1.65
Patched Version: 2.1.66
Recommended Action: Update to version 2.1.66, or a newer patched version
Plugin: Events Manager Pro
Vulnerability: Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages
Vulnerability: Information Disclosure
Patched Version: 1.9.4.1
Recommended Action: Update to version 1.9.4.1, or a newer patched version
Plugin: WP Construction Mode
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.92
Recommended Action: Update to version 1.92, or a newer patched version
Plugin: Google Forms
Vulnerability: Unauthenticated Server Side Request Forgery
Patched Version: 0.92
Recommended Action: Update to version 0.92, or a newer patched version
Plugin: WooCommerce
Vulnerability: Settings Bypass leading to Account Creation
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version
Plugin: WP VK-付费内容插件(付费阅读/资料/工具软件资源管理)
Vulnerability: Cross-Site Request Forgery via AJAX actions
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: WP-RecentComments
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Custom Menu Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Data Tables Generator by Supsystic
Vulnerability: Cross-Site Scripting
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version
Plugin: BigBlueButton
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: dsSearchAgent: WordPress Edition
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Rights Access Manager
Vulnerability: Missing Authorization
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Float to Top Button
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Amministrazione Aperta
Vulnerability: Admin+ Local File Inclusion
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: Accordion Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Motors – Car Dealer, Classifieds & Listing
Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Authenticated (Editor+) Privilege Escalation
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version
Plugin: SpiderVPlayer
Vulnerability: Multiple Blind Authenticated SQL Injections
Patched Version: 1.5.18
Recommended Action: Update to version 1.5.18, or a newer patched version
Plugin: rtMedia for WordPress, BuddyPress and bbPress
Vulnerability: Missing Authorization via export_settings
Patched Version: 4.6.15
Recommended Action: Update to version 4.6.15, or a newer patched version
Plugin: Organization chart
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Missing Authorization
Patched Version: 3.13.1
Recommended Action: Update to version 3.13.1, or a newer patched version
Core: WordPress MU
Vulnerability: Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Promotion Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yoast SEO
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Resize Image After Upload
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: True Ranker
Vulnerability: Directory Traversal/Arbitrary File Read
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Missing Authorization in ajaxCalculatePrice function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Recent Posts Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share Button
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Translate Multilingual sites – TranslatePress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: MainWP Buddy Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Missing Authorization
Patched Version: 5.2.3.1
Recommended Action: Update to version 5.2.3.1, or a newer patched version
Plugin: Post Snippets – Custom WordPress Code Snippets Customizer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘snippet_content’
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Custom Permalinks
Vulnerability: No subtitle
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Reflected Cross-Site Scripting via calId Parameter
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Online Lesson Booking
Vulnerability: Cross-Site Scripting
Patched Version: 0.8.7
Recommended Action: Update to version 0.8.7, or a newer patched version
Plugin: trust-form
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version
Plugin: WordPress Brute Force Protection – Stop Brute Force Attacks
Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: WP BrowserUpdate
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Plugin: Simpel Reserveren 3
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 404 to Start
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Arbitrary File Read
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: CM Download Manager – Document and File Management
Vulnerability: Code Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: WP CleanFix
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Event Calendar WD version
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version
Plugin: Reusable Text Blocks
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Registration Forms
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Adminimize
Vulnerability: Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Arbitrary File Upload
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Compact WP Audio Player
Vulnerability: Setting Change via Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.64.1
Recommended Action: Update to version 3.64.1, or a newer patched version
Plugin: Name Directory
Vulnerability: Cross-Site Scripting
Patched Version: 1.25.3
Recommended Action: Update to version 1.25.3, or a newer patched version
Plugin: FormCraft
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version
Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
Vulnerability: Missing Authorization
Patched Version: 7.0.18
Recommended Action: Update to version 7.0.18, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1
Plugin: Social Ring (Facebook Like, Google +1, ReTweet, LinkedIn and Pin It)
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: WPML
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version
Plugin: Import CSV Files
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Player for YouTube
Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Minimal Coming Soon – Coming Soon Page
Vulnerability: Missing Authorization to Export Settings/Theme Change
Patched Version: 2.17
Recommended Action: Update to version 2.17, or a newer patched version
Plugin: WP Simple Galleries
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Add Hierarchy (parent) to post
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version
Plugin: EXMAGE – WordPress Image Links
Vulnerability: Admin+ Blind SSRF
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: URL Cloak & Encrypt
Vulnerability: Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version
Plugin: Google Maps Anywhere
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: 5.9.1
Patched Version: 5.9.2
Recommended Action: Update to version 5.9.2, or a newer patched version
Plugin: Accessibility
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Exxp
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.174.1
Recommended Action: Update to version 5.174.1, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7.2
Recommended Action: Update to version 1.2.7.2, or a newer patched version
Plugin: Porto Theme – Functionality
Vulnerability: Functionality <= 2.11.1
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 4.23.3
Recommended Action: Update to version 4.23.3, or a newer patched version
Plugin: Like Button Rating ♥ LikeBtn
Vulnerability: Server-Side Request Forgery
Patched Version: 2.6.32
Recommended Action: Update to version 2.6.32, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Authenticated Stored Cross Site Scripting
Patched Version: 5.22.3
Recommended Action: Update to version 5.22.3, or a newer patched version
Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BSK Contact Form 7 Blacklist
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated SQL Injection
Patched Version: 1.3.38
Recommended Action: Update to version 1.3.38, or a newer patched version
Plugin: Ultimate Category Excluder
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version
Plugin: Skippy WP-DB Backup (Legacy Core Plugin)
Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPComplete
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: MWB Point of Sale (POS) for WooCommerce- Generate Barcodes, Process your Bills, Synchronize, Your Online-Offline Orders
Vulnerability: Missing Authorization
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Subscribe2 – Form, Email Subscribers & Newsletters
Vulnerability: Cross-Site Request Forgery
Patched Version: 10.38
Recommended Action: Update to version 10.38, or a newer patched version
Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
Vulnerability: Courses for Membership Add On <= 1.2.3
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: IP2Location Country Blocker
Vulnerability: Unauthenticated Sensitive Information Exposure via Debug Log File
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version
Plugin: Ultimate TinyMCE
Vulnerability: Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version
Plugin: Bulk NoIndex & NoFollow Toolkit
Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Custom Field Suite
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.5.15
Recommended Action: Update to version 2.5.15, or a newer patched version
Plugin: WP Spell Check
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.13
Recommended Action: Update to version 9.13, or a newer patched version
Plugin: DSubscribers
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: WP Events Calendar Plugin
Vulnerability: SQL Injection
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Image Hover Effects Css3
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form – Custom Builder, Payment Form, and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification
Vulnerability: Missing Authorization
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: cforms
Vulnerability: Cross-Site Scripting
Patched Version: 10.5
Recommended Action: Update to version 10.5, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Cross-Site Request Forgery to Plugin Activation
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: IgniteUp – Coming Soon and Maintenance Mode
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Easy Plugin for AdSense
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.10
Recommended Action: Update to version 6.10, or a newer patched version
Plugin: Testimonial Rotator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Asgaros Forum
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.15.13
Recommended Action: Update to version 1.15.13, or a newer patched version
Plugin: Taskbuilder – WordPress Project & Task Management plugin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: IDOR to Sensitive Information Disclosure
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: Favicon by RealFaviconGenerator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.23
Recommended Action: Update to version 1.3.23, or a newer patched version
Plugin: bbPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version
Plugin: Donations via PayPal
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Arbitrary File Upload
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version
Plugin: Find and Replace All
Vulnerability: Cross-Site Request Forgery to Arbitrary Content Replacement
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Bypass URL Validation
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3
Plugin: Realia
Vulnerability: Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: ELEX WooCommerce Google Shopping (Google Product Feed)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Donations Made Easy – Smart Donations
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Access Control Bypass
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated Blind SQL Injection via current_page_type
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: All 404 Redirect to Homepage
Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: WP Directory Kit
Vulnerability: Open Redirect
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart
Vulnerability: Cross Site Request Forgery
Patched Version: 6.11.4
Recommended Action: Update to version 6.11.4, or a newer patched version
Plugin: Form Store to DB
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Featured Posts by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: WP OAuth Server ( Login with WordPress )
Vulnerability: Authentication Bypass
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: ICS Calendar
Vulnerability: Authenticated(Contributor+) Directory Traversal via _url_get_contents
Patched Version: 10.12.0.2
Recommended Action: Update to version 10.12.0.2, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Directory Traversal to Arbitrary File Access
Patched Version: 3.7.16
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.16, 3.8.16, 3.9.14, 4.0.13, 4.1.13, 4.2.10, 4.3.6, 4.4.5, 4.5.4, 4.6.1
Plugin: Realia
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version
Plugin: WP Shopping Pages
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form DB
Vulnerability: Cross-Site Scripting
Patched Version: 2.8.20
Recommended Action: Update to version 2.8.20, or a newer patched version
Plugin: Mass Email To users
Vulnerability: Unauthenticated Reflected Cross-Site Scripting via ‘entrant’
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: SEO Rank Reporter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcart e-Commerce
Vulnerability: SQL Injection
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Contact Form 7 Database Addon – CFDB7
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6.1
Recommended Action: Update to version 1.2.6.1, or a newer patched version
Plugin: Ultimate Product Catalog
Vulnerability: Multiple Vulnerabilities
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Vulnerability: Unauthenticated Reflected Cross-Site Scripting via Tag Filter Links
Patched Version: 2.0.13.1
Recommended Action: Update to version 2.0.13.1, or a newer patched version
Plugin: Complete Open Graph
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Title Experiments Free
Vulnerability: SQL Injection
Patched Version: 9.0.1
Recommended Action: Update to version 9.0.1, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: 2.9.42
Patched Version: 2.9.42.1
Recommended Action: Update to version 2.9.42.1, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Directory Traversal
Patched Version: 1.14.2.2
Recommended Action: Update to version 1.14.2.2, or a newer patched version
Plugin: Themify Portfolio Post
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Album Gallery – WordPress Gallery
Vulnerability: Cross-Site Request Forgery via album-gallery-column-settings.php
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon
Vulnerability: Reflected Cross-Site Scripting via keyword
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: WP Image Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rife Elementor Extensions & Templates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: VideoWhisper Video Presentation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.31
Recommended Action: Update to version 3.31, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: WP Super Cache
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: seolinkrotator
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Global Multisite Search
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CRM and Lead Management by vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.95
Recommended Action: Update to version 3.6.95, or a newer patched version
Plugin: uContext for Amazon
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Better Font Awesome
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Product Slider for WooCommerce by PickPlugins
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.22
Recommended Action: Update to version 1.13.22, or a newer patched version
Plugin: KD Coming Soon
Vulnerability: Unauthenticated PHP Object Injection via cetitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Thumbnail carousel slider
Vulnerability: Stored Cross-Site Scripting and Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Solid Central – Site Management, Backups, Security, and Reporting
Vulnerability: Cross-Site Request Forgery and Missing Authorization via ‘hide_authenticate_notice’
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version
Plugin: User Profile Picture
Vulnerability: Authenticated Insecure Direct Object Reference
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: BuddyPress Extended Friendship Request
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: WP Backup+
Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Subscribe to Category
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Login New User After Registration
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via alnuar_auto_login_new_user_after_registration_redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Security & Malware scan by CleanTalk
Vulnerability: Missing Authorization
Patched Version: 2.51
Recommended Action: Update to version 2.51, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Request Forgery via wp_ajax_wp_compression_test
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: Cross-Site Scripting
Patched Version: 7.1.05
Recommended Action: Update to version 7.1.05, or a newer patched version
Plugin: Japanized For WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist
Vulnerability: Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Be POPIA Compliant
Vulnerability: Sensitive Information Exposure
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Core: WordPress
Vulnerability: Shared User Instance Weakness
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Banner Effect Header
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Analyticator
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.9.4
Recommended Action: Update to version 6.4.9.4, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version
Plugin: Easy Google Maps
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.32
Recommended Action: Update to version 1.9.32, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Theme My Login
Vulnerability: Local File Inclusion
Patched Version: 6.3.10
Recommended Action: Update to version 6.3.10, or a newer patched version
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message
Patched Version: 3.1.20
Recommended Action: Update to version 3.1.20, or a newer patched version
Plugin: Menu Image, Icons made easy
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version
Plugin: SMTP by BestWebSoft
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: About Author
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Sliced Invoices – WordPress Invoice Plugin
Vulnerability: Authenticated SQL Injection
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version
Plugin: Popup by Supsystic
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version
Plugin: Image Zoom
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Job Board
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.7
Recommended Action: Update to version 2.10.7, or a newer patched version
Plugin: ANAC XML Bandi di Gara
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcodes and extra features for Phlox theme
Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Missing Authorization
Patched Version: 7.13.55
Recommended Action: Update to version 7.13.55, or a newer patched version
Plugin: Invite Anyone
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version
Plugin: DZS Video Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce PayPal Payments
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Lead Deletion
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: Count per Day
Vulnerability: Arbitrary File Download
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: EnvíaloSimple: Email Marketing y Newsletters
Vulnerability: Cross-Site Scripting
Patched Version: 1.98
Recommended Action: Update to version 1.98, or a newer patched version
Plugin: SAML Single Sign On – SSO Login
Vulnerability: Cross-Site Scripting
Patched Version: 4.8.84
Recommended Action: Update to version 4.8.84, or a newer patched version
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Unauthenticated Stored Cross-Site Scripting via profile_title
Patched Version: 1.0.8.1
Recommended Action: Update to version 1.0.8.1, or a newer patched version
Plugin: Complianz – GDPR/CCPA Cookie Consent
Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcodes
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version
Plugin: wpDataTables (Premium)
Vulnerability: Improper Access Control leading to Table Permission Takeover
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Age Gate
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Easy Coming Soon
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Image and Video Lightbox, Image PopUp
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: WordPress Font Uploader
Vulnerability: Arbitrary File Upload
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Elastic Email Sender
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Admin+ Arbitrary File Upload
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.15
Recommended Action: Update to version 2.9.15, or a newer patched version
Plugin: GamePress – The Game Database Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Unauthenticated Privilege Escalation via User Roles
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version
Plugin: Use-Your-Drive
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.18.3
Recommended Action: Update to version 1.18.3, or a newer patched version
Plugin: Splashscreen
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FeedWordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2015.0514
Recommended Action: Update to version 2015.0514, or a newer patched version
Plugin: Meteor Slides
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: YARPP – Yet Another Related Posts Plugin
Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.30.5
Recommended Action: Update to version 5.30.5, or a newer patched version
Plugin: Mailchimp for WooCommerce
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: adminer
Vulnerability: Security Bypass to Database Login
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All-in-One WP Migration and Backup
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version
Plugin: String locator
Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Subscribe2 – Form, Email Subscribers & Newsletters
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 8.1
Recommended Action: Update to version 8.1, or a newer patched version
Core: WordPress
Vulnerability: Revision History Disclosure
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3
Plugin: GD Rating System
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Download Manager
Vulnerability: Refleced Cross-Site Scripting
Patched Version: 3.2.60
Recommended Action: Update to version 3.2.60, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: MathJax-LaTeX
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Ultimate Dashboard – Custom WordPress Dashboard
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.7.12
Recommended Action: Update to version 3.7.12, or a newer patched version
Plugin: EELV Newsletter
Vulnerability: Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.1.23
Recommended Action: Update to version 2.1.23, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated SQL Injection via cg_Fields
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: SAML Single Sign On – SSO Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.76
Recommended Action: Update to version 4.8.76, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Arbitrary File Upload
Patched Version: 2.8.1.2
Recommended Action: Update to version 2.8.1.2, or a newer patched version
Plugin: WP-Invoice – Web Invoice and Billing
Vulnerability: Unauthorized Settings Change
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Easy Contact Form Pro
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.1.9
Recommended Action: Update to version 1.1.1.9, or a newer patched version
Plugin: OneLogin SAML SSO
Vulnerability: Authentication Bypass
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: alfred24 Click & Collect
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Aajoda Testimonials
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: FreshMail For WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pricing Deals for WooCommerce
Vulnerability: Missing Authorization via vtprd_ajax_clone_rule
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Register Plus
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom 404 Pro
Vulnerability: Unauthenticated Stored Cross-Site Scripting via logging
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version
Plugin: Star CloudPRNT for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: Sensitive Information Exposure
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version
Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: WP Front-End Repository Manager
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageLinks Interactive Image Builder for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: WP Custom Cursors | WordPress Cursor Plugin
Vulnerability: Cross-Site Request Forgery to Cursor Manipulation
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Core: WordPress
Vulnerability: All known versions
Patched Version: No patched version available
Recommended Action: No known patch available. Review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance.
Plugin: bbPress Toolkit
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Leaflet Maps Marker Pro
Vulnerability: SQL Injection
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Duplicate Page and Post
Vulnerability: Malicious Backdoor
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPGlobus – Multilingual WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: Keap Landing Pages
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cookie Bar
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: MX Time Zone Clocks
Vulnerability: Contributor+ Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: EventON
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: Content Copy Protection & Prevent Image Save
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Shop
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.4.3.19
Recommended Action: Update to version 3.4.3.19, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Incorrect Authorization Checks Allowing Post Modification
Patched Version: 1.0.126
Recommended Action: Update to one of the following versions, or a newer patched version: 1.0.126, 2.3.12
Plugin: Virtual Robots.txt
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version
Plugin: Google XML Sitemap for Images
Vulnerability: Cross-Site Request Forgery via image_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: wp-FileManager
Vulnerability: Arbitrary File Upload
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 118
Recommended Action: Update to version 118, or a newer patched version
Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio
Vulnerability: Sensitive Information Disclosure
Patched Version: 2.53
Recommended Action: Update to version 2.53, or a newer patched version
Plugin: Calendar_plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LayerSlider
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version
Plugin: WP HTML Author Bio
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Loginizer
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Simple Retail Menus
Vulnerability: SQL Injection
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version
Plugin: Quick Page/Post Redirect Plugin
Vulnerability: Redirect Security Bypass
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: Leaflet Maps Marker Pro
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: FileOrganizer – Manage WordPress and Website Files
Vulnerability: Authenticated (Admin+) Arbitrary File Access
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: WP Affiliate Disclosure
Vulnerability: Cross-Site Request Forgery via check_capability
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Core: WordPress
Vulnerability: SQL Injection
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version
Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions
Vulnerability: Cross Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Cross-Site Request Forgery via ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Shariff for WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: WordPress Language
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MainWP Google Analytics Extension
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via style
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: 3xSocializer
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cryptographp
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Spam Protection Bypass
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Debug Bar – Enable WP_DEBUG from admin dashboard
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.86
Recommended Action: Update to version 1.86, or a newer patched version
Plugin: WP SOCIAL BOOKMARK MENU
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced XML Reader
Vulnerability: External Entity Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Missing Authorization
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: eID Easy
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: Booking.com Product Helper
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Cross-Site Request Forgery via bulk_actions
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: Data Tables Generator by Supsystic
Vulnerability: Time-Based Blind SQL Injection
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version
Plugin: N5 Upload Form
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brafton
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: OSM – OpenStreetMap
Vulnerability: OpenStreetMap <= 6.0
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: External Links – nofollow, noopener & new window
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.56
Recommended Action: Update to version 2.56, or a newer patched version
Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: WP Upload Restriction
Vulnerability: No subtitle
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Share-one-Drive
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version
Plugin: Advanced Local Pickup for WooCommerce
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Lead Generated
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.25
Recommended Action: Update to version 1.25, or a newer patched version
Plugin: Better RSS Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery via process_deactivate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version
Plugin: The School Management – Education & Learning Management
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: WP Activity Log
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: Express Shop
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘layouts’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Divi Builder
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version
Plugin: Appointment Booking and Scheduling Calendar Plugin – Webba Booking
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: VK Blocks
Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: 1.57.0.10
Recommended Action: Update to version 1.57.0.10, or a newer patched version
Plugin: Icons Font Loader – Load Various Web Fonts & Icons on WP
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Popup by Supsystic
Vulnerability: Prototype Pollution
Patched Version: 1.10.19
Recommended Action: Update to version 1.10.19, or a newer patched version
Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Make Connector
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Laposta Signup Embed
Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Contact Form Builder by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.1
Recommended Action: Update to version 4.10.1, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Missing Authorization
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Interactive Image Map Builder
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Real3D Flipbook
Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Contributor+ Stored Cross-Site Scripting via File Thumbnail
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.0.18
Recommended Action: Update to version 3.0.18, or a newer patched version
Plugin: Coru LFMember
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form for WordPress – Ultimate Form Builder Lite
Vulnerability: SQL Injection to PHP Object Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: NOO Timetable
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: Mega Main Menu
Vulnerability: Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RSVPMaker
Vulnerability: Authenticated (Admin+) SQL Injection via ‘delete’ parameter
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version
Plugin: Contact Form Check Tester
Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress Export Import – WordPress extension for LearnPress
Vulnerability: Export/Import Courses <= 4.0.2
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: EnvíaloSimple: Email Marketing y Newsletters
Vulnerability: No subtitle
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: WP Offload SES Lite
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Download Monitor
Vulnerability: Cross-Site Scripting via p Parameter
Patched Version: 3.3.6.2
Recommended Action: Update to version 3.3.6.2, or a newer patched version
Plugin: wptf-image-gallery
Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Server-Side Request Forgery
Patched Version: 3.7.13
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.13, 3.8.13, 3.9.11, 4.0.10, 4.1.10, 4.2.7, 4.3.3, 4.4.2
Plugin: Ptengine – Heatmap Analytics
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: WordPress Photo Gallery – Image Gallery
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPE Indoshipping
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooPayments: Integrated WooCommerce Payments
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.0
Recommended Action: Update to version 6.5.0, or a newer patched version
Plugin: Salon Booking System
Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: WP CSV to Database – Insert CSV file content into WordPress database
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Gallery Plugin
Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Related YouTube Videos
Vulnerability: Cross-site Request Forgery
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: API Bearer Auth
Vulnerability: Cross-Site Scripting
Patched Version: 20190907
Recommended Action: Update to version 20190907, or a newer patched version
Plugin: Very Simple Breadcrumb
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Vendors
Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: 2.1.79
Recommended Action: Update to version 2.1.79, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Missing Authorization
Patched Version: 1.0.42.2
Recommended Action: Update to version 1.0.42.2, or a newer patched version
Plugin: Podlove Podcast Publisher
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.3.16
Recommended Action: Update to version 2.3.16, or a newer patched version
Plugin: WP Super Cache
Vulnerability: Directory Listing
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Theme My Login 2fa
Vulnerability: 2FA Bypass via Brute Force
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Add Posts to Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Cross-Site Request Forgery via delete_profiles_data
Patched Version: 1.4.1.5
Recommended Action: Update to version 1.4.1.5, or a newer patched version
Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.2.8
Recommended Action: Update to version 8.2.8, or a newer patched version
Plugin: intouch
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Contact Form, Drag and Drop Form Builder Plugin – Live Forms
Vulnerability: SQL Injection
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Podcasting Plugin by TSG
Vulnerability: Remote File Inclusion
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Administrator Open Redirect
Patched Version: 3.4.34
Recommended Action: Update to version 3.4.34, or a newer patched version
Plugin: Simple Photo Gallery
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Insecure Direct Object Reference
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.35
Recommended Action: Update to version 2.0.35, or a newer patched version
Plugin: My Site Audit
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Appointment Booking Calendar
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.25
Recommended Action: Update to version 1.2.25, or a newer patched version
Plugin: Email Artillery (MASS EMAIL)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.28.0
Recommended Action: Update to version 1.28.0, or a newer patched version
Plugin: Calendar Event Multi View
Vulnerability: Insufficient Authorization
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version
Plugin: CMS Tree Page View
Vulnerability: Missing Authorization Checks
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Authenticated SQL Injection
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: WordPress Social Login
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Gallery Bank – WordPress Photo Gallery Plugin
Vulnerability: SQL Injection
Patched Version: 3.0.102
Recommended Action: Update to version 3.0.102, or a newer patched version
Plugin: Enhanced Plugin Admin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version
Plugin: wp-tmkm-amazon
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: RokIntroScroller
Vulnerability: Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Autocomplete Location field Contact Form 7
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: WP Private Message
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Contact Bank – Contact Form Builder for WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘addRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Zotpress
Vulnerability: Reflected Cross-Site Scripting via ‘PHP_SELF’
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: School Management System – WPSchoolPress
Vulnerability: Missing Authorization
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Ultimate Product Catalog
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Duplicator Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.11.1
Recommended Action: Update to version 4.5.11.1, or a newer patched version
Plugin: All Video Gallery Plugin for WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GD Star Rating
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: vSlider Multi Image Slider for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version
Plugin: Participants Database
Vulnerability: SQL Injection
Patched Version: 1.5.4.9
Recommended Action: Update to version 1.5.4.9, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version
Plugin: Add to home screen WP Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Reflected Cross-Site Scripting via ‘data’
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version
Plugin: RD Station
Vulnerability: Cross-Site Request Forgery to Plugin Log Deletion
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: MailPoet Newsletters (Previous)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Core: WordPress
Vulnerability: Missing Authorization Checks on create_post
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Google Doc Embedder
Vulnerability: SQL Injection
Patched Version: 2.5.17
Recommended Action: Update to version 2.5.17, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: Authenticated Arbitrary Plugin Deactivation and Settings Modification
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Product Category Tree
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventON
Vulnerability: Insecure Direct Object Reference to Unauthorized Post Access
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Vulnerability: Missing Authorization to Category Update
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Page Restrict
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: 404 Solution
Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.34.0
Recommended Action: Update to version 2.34.0, or a newer patched version
Plugin: Add to Feedly
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.32
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1
Plugin: WPCargo Track & Trace
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 6.9.0
Recommended Action: Update to version 6.9.0, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.6
Recommended Action: Update to version 2.11.6, or a newer patched version
Plugin: SoundCloud Is Gold
Vulnerability: Missing Authorization to Soundcloud User Add
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Tabs
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box
Vulnerability: Sensitive Information Disclosure
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version
Core: WordPress
Vulnerability: Weak Multi-Site Activation Key for User and Site Signup
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1
Plugin: Floating Action Button
Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Extra Charges To Payment Gateway For WooCommerce (Standard)
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Userlike – WordPress Live Chat plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: SportsPress – Sports Club & League Manager
Vulnerability: Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.15.23
Recommended Action: Update to version 4.15.23, or a newer patched version
Plugin: Cross Slide
Vulnerability: Multiple Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Contact form 7 DB
Vulnerability: SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: User Access Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_html_tag
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: WooCommerce Pre-Orders
Vulnerability: Cross-Site Request Forgery to Order Cancellation
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Top 10 – WordPress Popular posts by WebberZone
Vulnerability: Missing Authorization on tptn_ajax_clearcache
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Social Login by BestWebSoft
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.2
Recommended Action: Update to version 0.2, or a newer patched version
Plugin: HM Multiple Roles
Vulnerability: Privilege Escalation via Arbitrary Role Change
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Uploader
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Sharing Toolkit
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Quasar form free – Contact Form Builder for WordPress
Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘id’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PayPal Pro Add-on for iThemes Exchange
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: PDF & Print Button Joliprint
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Google Maps v3 Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Login WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2.29
Recommended Action: Update to version 1.2.2.29, or a newer patched version
Plugin: Mail logging – WP Mail Catcher
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Missing Authorization
Patched Version: 1.8.16
Recommended Action: Update to version 1.8.16, or a newer patched version
Plugin: Email Queue by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Zendrop – Global Dropshipping
Vulnerability: SQL Injection in setMetaData
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder
Vulnerability: Privilege Escalation
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Login by Auth0
Vulnerability: Insecure Direct Object Reference
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms
Vulnerability: SQL Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN
Vulnerability: Authenticated PHAR Deserialization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Simple Popup Newsletter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Add User
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 Database Addon – CFDB7
Vulnerability: CSV Injection
Patched Version: 1.2.6.5
Recommended Action: Update to version 1.2.6.5, or a newer patched version
Plugin: Core Tweaks WP Setup
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MailerLite – Signup forms (official)
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: CSV Injection
Patched Version: 5.9.7.2
Recommended Action: Update to version 5.9.7.2, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version
Plugin: Better Font Awesome
Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Multiple Page Generator Plugin – MPG
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version
Plugin: HTML filter and csv-file search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: GDPR Cookie Consent by Supsystic
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Font Awesome More Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wpForo Forum
Vulnerability: Cross-Site Scripting via langid parameter
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Vulnerability: Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor
Patched Version: 3.7.20
Recommended Action: Update to version 3.7.20, or a newer patched version
Core: WordPress
Vulnerability: Full Path Disclosure
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Smart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – Buttonizer
Vulnerability: Smart Floating Action Button <= 2.5.4
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: Backup, Restore and Migrate your sites with XCloner
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: BuddyPress
Vulnerability: Missing Authorization to Group Creation
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version
Plugin: Survey Maker
Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version
Plugin: Dynamic Word Spinner: CSS3 Animated Rotation
Vulnerability: Cross-Site Request Forgery via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Genki Pre-Publish Reminder
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WIP Custom Login
Vulnerability: Cross-Site Request Forgery via save_option
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.77.3
Recommended Action: Update to version 2.0.77.3, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 9.7.2
Recommended Action: Update to version 9.7.2, or a newer patched version
Plugin: simple-popup-images
Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: GS Insever Portfolio
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order Export & Order Import for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 0.9.69
Recommended Action: Update to version 0.9.69, or a newer patched version
Plugin: Portfolio – WordPress Portfolio Plugin
Vulnerability: Cross-Site Request Forgery in rtport_spare_me
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version
Plugin: WP Category Post List Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portrait-Archiv.com Photostore
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version
Plugin: Leads and Visitor Insights
Vulnerability: Authorization Bypass
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Export All Posts, Products, Orders, Refunds & Users
Vulnerability: SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: wp-football
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Builder CP
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.32
Recommended Action: Update to version 1.2.32, or a newer patched version
Plugin: EU Cookie Law for GDPR/CCPA
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Reflected Cross-Site Scripting via code
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version
Plugin: Helpful
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.4.59
Recommended Action: Update to version 4.4.59, or a newer patched version
Plugin: AGCA – Custom Dashboard & Login Page
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Client Interface <= 3.9.1
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: CKEditor for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.3.1
Recommended Action: Update to version 4.5.3.1, or a newer patched version
Plugin: IBPS Online Exam Plugin for WordPress
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Cross-Site Scripting via Customizer
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3
Plugin: Dyslexiefont Free
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version
Plugin: RokStories
Vulnerability: Denial of Service
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version
Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version
Plugin: Simple Ticker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.06
Recommended Action: Update to version 3.06, or a newer patched version
Plugin: Rich Reviews by Starfish
Vulnerability: SQL Injection
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version
Plugin: SpiderVPlayer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce
Vulnerability: Missing File Type Validation
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: Poll, Survey, Questionnaire and Voting system
Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 17.0.18
Recommended Action: Update to version 17.0.18, or a newer patched version
Plugin: WooCommerce Ship to Multiple Addresses
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: Motors – Car Dealer, Classifieds & Listing
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: PCA Predict
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 115
Recommended Action: Update to version 115, or a newer patched version
Plugin: Organization chart
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Cross-Site Request Forgery via admin_slides
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Mail Masta
Vulnerability: SQL Injection via id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gestion-Pymes
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: 4.1.5.2 Authorization Bypass
Patched Version: 4.1.5.3
Recommended Action: Update to version 4.1.5.3, or a newer patched version
Plugin: Simple Membership
Vulnerability: Authenticated (Admin+) SQL Injections
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version
Plugin: WooCommerce Warranty Requests
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Dynamics 365 Integration
Vulnerability: Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version
Plugin: Tiny carousel horizontal slider plus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: jRSS Widget
Vulnerability: Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: External Videos
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Hide Admin Bar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Converter for Media – Optimize images | Convert WebP & AVIF
Vulnerability: Unauthenticated Open Redirect
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: bbp style pack
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.6.8
Recommended Action: Update to version 5.6.8, or a newer patched version
Plugin: reCaptcha by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.28
Recommended Action: Update to version 1.28, or a newer patched version
Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping
Vulnerability: WCMultiShipping <= 2.3.7
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: contus-video-comments
Vulnerability: Remote File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WHA Crossword
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wpDataTables (Premium)
Vulnerability: Blind SQL Injection via length Parameter
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Simple Link Directory
Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version
Plugin: XML for Google Merchant Center
Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Member Hero
Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AFS Analytics
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.16
Recommended Action: Update to version 4.16, or a newer patched version
Plugin: Visual Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Authentication Bypass
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Pricing Table by Supsystic
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting and Setting Changes
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: WP SEO Tags
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kanban Boards for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.21
Recommended Action: Update to version 2.5.21, or a newer patched version
Plugin: Booqable Rental Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.16
Recommended Action: Update to version 2.4.16, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Authenticated SQL Injection via order & orderby Parameters
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: Login with phone number
Vulnerability: Unauthenticated Remote Plugin Deletion
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.20.2
Recommended Action: Update to version 2.2.20.2, or a newer patched version
Plugin: BulletProof Security
Vulnerability: Cross-Site Scripting
Patched Version: .52.5
Recommended Action: Update to version .52.5, or a newer patched version
Plugin: Testimonial WordPress Plugin – AP Custom Testimonial
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version
Plugin: Dropshipping & Affiliation with Amazon
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Admin side data storage for Contact Form 7
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OneClick Chat to Order
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.4.2
Recommended Action: Update to version 1.0.4.2, or a newer patched version
Plugin: Yandex Metrica Counter
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Menu Extension
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP
Vulnerability: Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.2.6
Recommended Action: Update to version 6.4.2.6, or a newer patched version
Plugin: Image Export
Vulnerability: Path Traversal
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: SAML Single Sign On – SSO Login
Vulnerability: Cross-Site Scripting
Patched Version: 4.8.73
Recommended Action: Update to version 4.8.73, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: LayerSlider
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: AnyMind Widget
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: DOM-based Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: Trust Payments Gateway for WooCommerce (JavaScript Library)
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Core: WordPress
Vulnerability: Denial of Service via oEmbed Protocol
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3
Plugin: Media File Renamer: Rename for better SEO (AI-Powered)
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version
Plugin: Download Monitor
Vulnerability: Cross-Site Scripting via sort Parameter
Patched Version: 3.3.6.2
Recommended Action: Update to version 3.3.6.2, or a newer patched version
Plugin: qTranslate X
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
Vulnerability: Subscriber+ Arbitrary Settings Update
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: Display Widgets
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.04
Recommended Action: Update to version 2.04, or a newer patched version
Plugin: WCP Contact Form
Vulnerability: Missing Authorization via downloadCsv
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Activity Log
Vulnerability: Authenticated(Administrator+) SQL Injection via txtsearch
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Complianz Premium – GDPR/CCPA Cookie Consent
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery via ‘wpfc_start_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: VR Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: AJAX Random Posts
Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.16.66
Recommended Action: Update to version 1.16.66, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘pbc_down[meta][id]’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.27
Recommended Action: Update to version 6.0.27, or a newer patched version
Plugin: Meta pixel for WordPress
Vulnerability: PHP Object Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Podcast Subscribe Buttons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.74
Recommended Action: Update to version 3.74, or a newer patched version
Plugin: Fancy Product Designer
Vulnerability: Admin+ SQL Injection
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version
Plugin: Inspirational Quote Rotator
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Responsive Testimonials Slider And Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Podlove Podcast Publisher
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.95.1
Recommended Action: Update to version 1.0.95.1, or a newer patched version
Plugin: Crowdsignal Dashboard – Polls, Surveys & more
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: MP3-jPlayer
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 8.0.1
Recommended Action: Update to version 8.0.1, or a newer patched version
Plugin: WooPayments: Integrated WooCommerce Payments
Vulnerability: Missing Authorization via redirect_pay_for_order_to_update_payment_method
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated WordPress Options Changes via AJAX
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: rtMedia for WordPress, BuddyPress and bbPress
Vulnerability: Local File Inclusion
Patched Version: 3.7.19
Recommended Action: Update to version 3.7.19, or a newer patched version
Plugin: Contact Form 7
Vulnerability: Authorization Bypass
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version
Plugin: MapSVG
Vulnerability: SQL Injection
Patched Version: 6.2.20
Recommended Action: Update to version 6.2.20, or a newer patched version
Plugin: Event Notifier
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Google Alert and Twitter Plugin
Vulnerability: Multiple Vulnerabilities
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Table
Vulnerability: Local File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version
Plugin: Simple Ads Manager
Vulnerability: Multiple SQL Injections
Patched Version: 2.7.97
Recommended Action: Update to version 2.7.97, or a newer patched version
Plugin: Flat Preloader
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Work The Flow File Upload
Vulnerability: Arbitrary File Upload
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Contributor+ Arbitrary Thumbnail Removal
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version
Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.9.18
Recommended Action: Update to version 2.9.18, or a newer patched version
Plugin: WP Mega Menu
Vulnerability: Unauthenticated Settings Update to Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Interactive Image Map Plugin – Draw Attention
Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version
Plugin: Display Custom Post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LB Mixed Slideshow for WordPress
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: leenk.me
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Easy Digital Downloads – Upload File
Vulnerability: Arbitrary File Upload/Deletion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Conversion Ninja
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Admin Management Xtended
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Facebook Survey Pro
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Domain Redirect
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Nexter Extension
Vulnerability: Authenticated(Editor+) Remote Code Execution via metabox
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: OnePress Social Locker
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version
Plugin: Image Gallery – Responsive Photo Gallery
Vulnerability: SQL Injection
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version
Plugin: Upload Media By URL
Vulnerability: Cross-Site Request Forgery via ‘umbu_download’
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3.4
Recommended Action: Update to version 1.5.3.4, or a newer patched version
Plugin: WP Super Cache
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Simple PopUp
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Chartify – WordPress Chart Plugin
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: CataBlog
Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Product Catalog Feed by PixelYourSite
Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: MailChimp Forms by MailMunch
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.14.2
Recommended Action: Update to version 2.14.2, or a newer patched version
Plugin: Ketchup Restaurant Reservations
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version
Plugin: WooCommerce Cart & Floating Cart
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Unauthenticated Admin Account Creation
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: Simple Membership
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version
Plugin: Auto Featured Image (Auto Post Thumbnail)
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version
Plugin: My Private Site
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: WP Forum Server
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: proquoter
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: miniOrange Discord Integration
Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: YITH Request a Quote for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Shortcode for Current Date
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: JSM file_get_contents() Shortcode
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via Shortcode
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Multi Step Form
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version
Plugin: ALD – AliExpress Dropshipping and Fulfillment for WooCommerce Premium
Vulnerability: AliExpress Dropshipping and Fulfillment for WooCommerce Premium <= 1.1.0
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: File Manager
Vulnerability: Sensitive Information Exposure via Backup Filenames
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version
Plugin: Show-Hide / Collapse-Expand
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Ajax Search Lite – Live Search & Filter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.5
Recommended Action: Update to version 4.11.5, or a newer patched version
Plugin: ActiveDEMAND
Vulnerability: Missing Authorization Checks
Patched Version: 0.2.28
Recommended Action: Update to version 0.2.28, or a newer patched version
Plugin: Import / Export Customizer Settings
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Post Meta Data Manager
Vulnerability: Missing Authorization to Post, Term, and User Meta Deletion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Ibtana – WordPress Website Builder
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.1.4.9
Recommended Action: Update to version 1.1.4.9, or a newer patched version
Plugin: CMS Tree Page View
Vulnerability: Reflected Cross-Site Scripting via ‘post_type’
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
Vulnerability: Missing Authorization to Cache Deletion
Patched Version: 1.2.50.0
Recommended Action: Update to version 1.2.50.0, or a newer patched version
Plugin: WP Guppy
Vulnerability: Information Disclosure
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Recently
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Block IPs for Gravity Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: gAppointments – Appointment booking addon for Gravity Forms
Vulnerability: Appointment booking addon for Gravity Forms <= 1.9.7
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version
Plugin: Social Media Widget by Acurax
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Auto Location for WP Job Manager
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Pods – Custom Content Types and Fields
Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Click to Chat – HoliThemes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.18.1
Recommended Action: Update to version 3.18.1, or a newer patched version
Plugin: Export to Text
Vulnerability: Unauthenticated Post Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Universal Analytics
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Image Hover Effects for Elementor with Lightbox and Flipbox
Vulnerability: Caption Hover with Carousel <= 2.8
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: User Post Gallery – UPG
Vulnerability: UPG <= 2.19
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Open Redirect
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: UniConsent CMP for IAB TCF GPP Consent Mode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Question Title
Patched Version: 8.1.11
Recommended Action: Update to version 8.1.11, or a newer patched version
Plugin: LH Password Changer
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HD Quiz
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: WP Js External Link Info
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Cross-Site Request Forgery via apbct_settings__update_account_email
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version
Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map
Vulnerability: Subscriber+ Arbitrary Post Deletion and Plugin Settings Update
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Malicious SVG
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Missing Authorization in ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Contact Form for WordPress – Ultimate Form Builder Lite
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: InPost Gallery
Vulnerability: Local File Inclusion
Patched Version: 2.1.2.1
Recommended Action: Update to version 2.1.2.1, or a newer patched version
Plugin: Appointment Booking Calendar
Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: All In One Favicon
Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: SMTP Mailing Queue
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Vertical scroll recent post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated SQL Injection via user_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version
Plugin: Safe SVG
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: School Management System – WPSchoolPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Contact Bank – Contact Form Builder for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Directory Traversal
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: BuddyPress
Vulnerability: 1.5-1.5.4
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Quick Paypal Payments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.7.26.4
Recommended Action: Update to version 5.7.26.4, or a newer patched version
Plugin: Related Posts for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Injection Guard
Vulnerability: Cross-Site Request Forgery to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Five Minute Webshop
Vulnerability: Authenticated (Admin+) SQL Injection via id
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Nested Pages
Vulnerability: Missing Authorization
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Easy SVG Allow
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Activation Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO by 10Web
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: PayGreen – Ancienne version
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clean Login
Vulnerability: Cross-Site Scripting
Patched Version: 1.12.6.4
Recommended Action: Update to version 1.12.6.4, or a newer patched version
Plugin: WP Open Street Map
Vulnerability: Cross-Site Request Forgery via wp_openstreetmaps
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version
Plugin: Restaurant Reservations
Vulnerability: Options Change
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Ready! Ecommerce Shopping Cart
Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version
Plugin: Event Registration Calendar By vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: miwoftp
Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Core: WordPress
Vulnerability: Same Origin Policy Bypass
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Toggle The Title
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Exit Box Lite
Vulnerability: Full Path Dislcosure
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version
Core: WordPress
Vulnerability: XML External Entity (XXE) Weakness
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: Site Reviews
Vulnerability: Missing Authorization
Patched Version: 6.10.3
Recommended Action: Update to version 6.10.3, or a newer patched version
Plugin: FAQs Manager
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Layer Slider
Vulnerability: Cross-Site Request Forgery via save_slide_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Plugin Mobile App Native 3.0
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Add Any Extension to Pages
Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: SAML Single Sign On – SSO Login Standard
Vulnerability: Open Redirect
Patched Version: 16.0.8
Recommended Action: Update to version 16.0.8, or a newer patched version
Plugin: Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard
Vulnerability: Directory Traversal
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: MPL-Publisher — Ebook & Audiobook Creator
Vulnerability: Various Plugins (Various Versions)
Patched Version: 1.29.2
Recommended Action: Update to version 1.29.2, or a newer patched version
Plugin: Button Builder – Buttons X
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Cross-Site Request Forgery to Product Limit Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks
Vulnerability: Missing Authorization
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version
Plugin: Easy Form Builder
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.7.1
Recommended Action: Update to version 2.5.7.1, or a newer patched version
Plugin: Slider Revolution
Vulnerability: Cross-Site Scripting
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version
Plugin: BestWebSoft's Twitter
Vulnerability: Cross-Site Scripting
Patched Version: 2.55
Recommended Action: Update to version 2.55, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.19
Recommended Action: Update to version 1.15.19, or a newer patched version
Plugin: Ultimate Addons for Beaver Builder
Vulnerability: Authenticated(Contributor+) Privilege Escalation
Patched Version: 1.35.15
Recommended Action: Update to version 1.35.15, or a newer patched version
Plugin: Amazon Einzeltitellinks
Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Alpine Photo Tile for Instagram
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: WhitePage
Vulnerability: Cross-Site Request Forgery via params_api_form.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lightweight Accordion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.15
Recommended Action: Update to version 1.5.15, or a newer patched version
Plugin: WPO365 | Mail Integration for Office 365 / Outlook
Vulnerability: reflected Cross-Site Scripting via error_description
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Vulnerability: Contact Form 7 <= 1.3.7.3
Patched Version: 1.3.7.4
Recommended Action: Update to version 1.3.7.4, or a newer patched version
Plugin: Ultimate SMS Notifications for WooCommerce
Vulnerability: CSV Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Import Cross-Site Scripting
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version
Plugin: BERTHA AI. Your AI co-pilot for WordPress and Chrome
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.11.10.8
Recommended Action: Update to version 1.11.10.8, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Information Disclosure
Patched Version: 2.0.8
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.8, 2.1.6, 2.2.9, 2.3.9, 2.4.6, 2.5.4, 2.6.5, 2.7.4, 2.8.4, 2.9.5, 3.0.5, 3.1.4, 3.2.4, 3.3.5, 3.4.5, 3.5.5, 3.6.3, 3.7.4, 3.8.4, 3.9.8, 4.0.5, 4.1.2, 4.2.3, 4.3.3, 4.4.3, 4.5.1, 4.6.1, 4.7.2, 4.8.3, 4.9.1, 5.0.1, 5.1.2, 5.2.3, 5.3.2, 5.4.2, 5.5.3, 5.6.3, 5.7.3, 5.8.2, 5.9.2, 6.0.2, 6.1.3, 6.2.3, 6.3.5, 6.4.4, 6.5.2, 6.6.3, 6.7.2, 6.8.3, 6.9.2, 7.0.3, 7.1.3, 7.2.3, 7.3.3, 7.4.3, 7.5.5, 7.6.2, 7.7.4, 7.8.2, 7.9.2, 8.0.1, 8.1.2, 8.2.4, 8.3.1, 8.4.3, 8.5.1, 8.6.2, 8.7.2, 8.8.3, 8.9.2, 9.0.3, 9.1.1, 9.2.2, 9.3.3, 9.4.2, 9.5.3, 9.6.2, 9.7.1
Plugin: twitterDash
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Review Stream
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: Qubely – Advanced Gutenberg Blocks
Vulnerability: Missing Authorization to Arbitrary Post Deletion
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Cross-Site Scripting
Patched Version: 0.4.5
Recommended Action: Update to version 0.4.5, or a newer patched version
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4.2
Recommended Action: Update to version 3.0.4.2, or a newer patched version
Plugin: Social Slider Feed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.4.0.1
Recommended Action: Update to version 4.4.0.1, or a newer patched version
Plugin: Void Elementor Post Grid Addon for Elementor Page builder
Vulnerability: Missing Authorization to Review Notice Dismissal
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Firelight Lightbox
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.18
Recommended Action: Update to version 1.8.18, or a newer patched version
Plugin: All in One SEO Pro – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic
Vulnerability: Authenticated (Admin+) Server Side Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version
Plugin: Contact Form X
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Swift SMTP (formerly Welcome Email Editor)
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version
Plugin: CP Contact Form with PayPal
Vulnerability: Authenticated Feedback Submission
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version
Plugin: GB Team Stats
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Document Embedder – Document Embedder Plugin
Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Media File Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Fancy Product Designer
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Missing Authorization in ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.32
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1
Plugin: hybrid-composer
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: CBI Referral Manager
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Elegant Testimonial
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: English WordPress Admin
Vulnerability: Unauthenticated Open Redirect
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Missing Access Controls
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability: Authorization Bypass due to Improper Access Control
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
Plugin: Easy Forms for Mailchimp
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.8.7
Recommended Action: Update to version 6.8.7, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Authenticated Settings Reset via reset-cmb Parameter
Patched Version: 1.0.27.1
Recommended Action: Update to version 1.0.27.1, or a newer patched version
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2.3
Recommended Action: Update to version 2.7.2.3, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2021.18
Recommended Action: Update to version 2021.18, or a newer patched version
Plugin: Social Media Share Buttons & Social Sharing Icons
Vulnerability: Missing Authorization via handle_installation
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version
Plugin: wp-publications
Vulnerability: Local File Inclusion
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: WP Product Review Lite
Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version
Plugin: WooCommerce Cart & Floating Cart
Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: SMSmaster – Multipurpose SMS Gateway for WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Insert or Embed Articulate Content into WordPress
Vulnerability: Directory Traversal
Patched Version: 4.29991
Recommended Action: Update to version 4.29991, or a newer patched version
Plugin: Redirection
Vulnerability: Missing Authorization in ‘deleteRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version
Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version
Plugin: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin
Vulnerability: Cross-Site Request Forgery to Back-Up Deletion
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version
Plugin: Contact Form by Supsystic
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.25
Recommended Action: Update to version 1.7.25, or a newer patched version
Plugin: Go Pricing – WordPress Responsive Pricing Tables
Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: PowerPress Podcasting plugin by Blubrry
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version
Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks
Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 5.4.4
Recommended Action: Update to version 5.4.4, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: HDW WordPress Video Gallery
Vulnerability: Reflected Cross-Site Scripting via channel parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Slider Feed
Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Myflash
Vulnerability: Remote File Inclusion
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Sensitive Information Exposure
Patched Version: 4.1.10
Recommended Action: Update to version 4.1.10, or a newer patched version
Plugin: CF7 Google Sheets Connector Pro
Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated Arbitrary Account Creation
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Backup, Restore and Migrate your sites with XCloner
Vulnerability: 4.2.12
Patched Version: 4.2.153
Recommended Action: Update to version 4.2.153, or a newer patched version
Plugin: WP Forms Puzzle Captcha
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthorized Account Access and Privilege Escalation
Patched Version: 4.10.8
Recommended Action: Update to version 4.10.8, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: JetSearch
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Location Weather – Hourly, Daily Weather Forecast Widget and Weather Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.7.26
Recommended Action: Update to version 2.7.26, or a newer patched version
Plugin: Olevmedia Shortcodes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Appointment Booking Calendar
Vulnerability: Missing Authorization
Patched Version: 1.3.70
Recommended Action: Update to version 1.3.70, or a newer patched version
Plugin: WP Google Tag Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Artillery (MASS EMAIL)
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version
Plugin: Restricted Site Access
Vulnerability: Sandbox Bypass
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.16.2
Recommended Action: Update to version 5.16.2, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated Arbitrary File Download
Patched Version: 4.5.91
Recommended Action: Update to version 4.5.91, or a newer patched version
Plugin: Cool Timeline (Horizontal & Vertical Timeline)
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Contact Us Page – Contact People
Vulnerability: Cross Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Yoast Duplicate Post
Vulnerability: SQL Injection
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Contributor+ Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version
Plugin: Booking Calendar – Clockwork SMS
Vulnerability: Clockwork SMS <= 1.0.5
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: WPMK Ajax Finder
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Authenticated Remote Code Execution
Patched Version: 2.4.22
Recommended Action: Update to version 2.4.22, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Reflected Cross-Site Scripting via ‘question’
Patched Version: 3.3.9.3
Recommended Action: Update to version 3.3.9.3, or a newer patched version
Plugin: Awesome Weather Widget
Vulnerability: Reflected Cross-site Scripting via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iframe popup
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Time-Based TOTP attack to Sensitive Information Exposure
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.1.2
Recommended Action: Update to version 1.5.1.2, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: wpDiscuz <= 7.3.11 Sensitive Information Disclosure
Patched Version: 7.3.12
Recommended Action: Update to version 7.3.12, or a newer patched version
Plugin: Event Calendar WD version
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.46
Recommended Action: Update to version 1.1.46, or a newer patched version
Plugin: WooCommerce Composite Products
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7.6
Recommended Action: Update to version 8.7.6, or a newer patched version
Plugin: Accredible Certificates & Open Badges
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cart All In One For WooCommerce
Vulnerability: Cross-Site Request Forgery to Cart Changes
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: MapGeo – Interactive Geo Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: WordPress Easy Custom Js And Css Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Missing Authorization via REST API
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: Easy EU Value Added (VAT) Taxes Add-on
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: S3 Video Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 0.98
Recommended Action: Update to version 0.98, or a newer patched version
Plugin: Attendance Manager
Vulnerability: Cross-site Request Forgery
Patched Version: 0.5.7
Recommended Action: Update to version 0.5.7, or a newer patched version
Plugin: Accept Donations with PayPal & Stripe
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: SQL Injection
Patched Version: 3.2.6.8
Recommended Action: Update to version 3.2.6.8, or a newer patched version
Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode
Vulnerability: Cross-Site Scripting via button_text_link parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version
Plugin: 2kb Amazon Affiliates Store
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wonder PDF Embed
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Font Awesome
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VK All in One Expansion Unit
Vulnerability: Stored (Contributor+) Cross-Site Scripting in CTA Post
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version
Plugin: Team Showcase
Vulnerability: Object Injection
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version
Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Store Locator WordPress
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.51.0
Recommended Action: Update to version 1.51.0, or a newer patched version
Plugin: Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: NAB Transact
Vulnerability: Payment System Bypass
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Search Everything
Vulnerability: SQL Injection
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version
Plugin: Phone Orders for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version
Plugin: HTML5 Webcam/Screen/Mic Recorder for Video Comments and Forms
Vulnerability: Cross-Site Scripting
Patched Version: 1.55.3
Recommended Action: Update to version 1.55.3, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings
Patched Version: 2.9.35
Recommended Action: Update to version 2.9.35, or a newer patched version
Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version
Plugin: WP Support Plus Responsive Ticket System
Vulnerability: Arbitrary File Upload
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: Admin+ SQL Injection
Patched Version: 2.2.13.1
Recommended Action: Update to version 2.2.13.1, or a newer patched version
Plugin: Raygun
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Flagallery-skins
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.4.19
Recommended Action: Update to version 2.4.19, or a newer patched version
Plugin: Limit Login Attempts Reloaded
Vulnerability: Missing Authorization
Patched Version: 2.25.26
Recommended Action: Update to version 2.25.26, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: CSV injection via a customer’s profile
Patched Version: 1.16.3.6
Recommended Action: Update to version 1.16.3.6, or a newer patched version
Plugin: Popup Like box – Page Plugin
Vulnerability: SQL Injection
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: Easy Testimonial Manager
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quotes llama
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version
Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘type’
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version
Plugin: Get Custom Field Values
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version
Plugin: Transposh WordPress Translation
Vulnerability: Missing Authorization Checks
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Republish Old Posts
Vulnerability: Cross-Site Request Forgery via rop_options_page
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version
Plugin: Community Events
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version
Plugin: Image Slider by NextCode – Photo & Video Slider
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Windows Desktop and iPhone Photo Uploader
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PWGRandom
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Table of Contents Plus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2212
Recommended Action: Update to version 2212, or a newer patched version
Plugin: Import WP – Export and Import CSV and XML files to WordPress
Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Flexible Elementor Panel
Vulnerability: Cross Site Request Forgery
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Missing Authorization in ‘wpfc_purgecache_varnish_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WP To Do
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: WooCommerce
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: YITH WooCommerce Gift Cards Premium
Vulnerability: Missing Authorization
Patched Version: 3.24.0
Recommended Action: Update to version 3.24.0, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 9.0.16
Recommended Action: Update to version 9.0.16, or a newer patched version
Plugin: Social Rocket – Social Sharing Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version
Plugin: Uji Popup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Authenticated PHP4 Upload
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version
Plugin: SMSA Shipping for WooCommerce
Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Widget Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AFI – The Easiest Integration Plugin
Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.63.0
Recommended Action: Update to version 1.63.0, or a newer patched version
Plugin: Coming Soon, Under Construction & Maintenance Mode By Dazzler
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Torro Forms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BlossomThemes Email Newsletter
Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Vision – Interactive Image Map Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Staff / Employee Business Directory for Active Directory
Vulnerability: Authenticated (Admin+) LDAP Passback
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Simple:Press Forum
Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Modification
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version
Plugin: Contextual Related Posts
Vulnerability: SQL Injection
Patched Version: 1.8.10.2
Recommended Action: Update to version 1.8.10.2, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Authenticated (Author+) Open Redirect
Patched Version: 6.9.19
Recommended Action: Update to version 6.9.19, or a newer patched version
Plugin: Portfolio, Gallery, Product Catalog – Grid KIT Portfolio
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Pinterest RSS Widget
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version
Plugin: Essential Blocks Pro
Vulnerability: Unauthenticated PHP Object Injection via products
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: Cross-Site Scripting
Patched Version: 7.1.03
Recommended Action: Update to version 7.1.03, or a newer patched version
Plugin: Insert Pages
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Fast Flow
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: Amministrazione Trasparente
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version
Plugin: Featured Image Pro Post Grid
Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 5.15
Recommended Action: Update to version 5.15, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: Font Awesome 4 Menus
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6.1
Recommended Action: Update to version 1.0.6.1, or a newer patched version
Plugin: Eupago Gateway For Woocommerce
Vulnerability: Cross-Site Request Forgery via eupago_page_content
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version
Plugin: WordPress Landing Pages
Vulnerability: Unauthenticated Remote Command Execution
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Core: WordPress
Vulnerability: Username Enumeration via Error Messages
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Food Store – Online Food Delivery & Pickup
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: WP-CopyProtect [Protect your blog posts]
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: WordPress Contact Form, Drag and Drop Form Builder Plugin – Live Forms
Vulnerability: Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: MSync
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Social Icons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: WordPress Popular Posts
Vulnerability: Unauthenticated Views Changes
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy2Map
Vulnerability: Directory Traversal and Local File Inclusion
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Advanced Text Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Convert to Blocks
Vulnerability: Prototype Pollution
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: CM Download Manager – Document and File Management
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Authenticated Shell Upload
Patched Version: 4.22
Recommended Action: Update to version 4.22, or a newer patched version
Plugin: WebEngage Feedback, Survey and Notification
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Core: WordPress
Vulnerability: PHAR Unserialization
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1
Plugin: Translate WordPress – Google Language Translator
Vulnerability: Google Language Translator <= 6.0.11
Patched Version: 6.0.12
Recommended Action: Update to version 6.0.12, or a newer patched version
Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.0.107.3
Recommended Action: Update to version 1.0.107.3, or a newer patched version
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Brizy – Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Element URL
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: CP Reservation Calendar
Vulnerability: SQL Injection
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: YouTube Embed
Vulnerability: Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Captcha!
Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Customize Login Image
Vulnerability: Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Admin+ SQL Injection
Patched Version: 17.0.5
Recommended Action: Update to version 17.0.5, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: Enable/Disable Auto Login when Register
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tussendoor – Open RDW
Vulnerability: Reflected Cross-Site Scripting via open_data_rdw_kenteken
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: WPBakery Page Builder for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version
Core: WordPress
Vulnerability: No subtitle
Patched Version: 4.1.39
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.39, 4.2.36, 4.3.32, 4.4.31, 4.5.30, 4.6.27, 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2
Plugin: DeepL API translation plugin
Vulnerability: Cross-Site Request Forgery via saveSettings
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: HTML2WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CBX Map for Google Map & OpenStreetMap
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Banner Effect Header
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: WP Smart Import : Import any XML File to WordPress
Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Website Contact Form With File Upload
Vulnerability: Arbitrary File Upload
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Sensitive Information Exposure
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 2.4.12
Recommended Action: Update to version 2.4.12, or a newer patched version
Plugin: AgentEasy Properties
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 7.5.13
Recommended Action: Update to version 7.5.13, or a newer patched version
Plugin: SEO Redirection Plugin – 301 Redirect Manager
Vulnerability: Subscriber+ SQL Injection
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.92
Recommended Action: Update to version 1.2.92, or a newer patched version
Plugin: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: WordPress Renaming Tool by Vlajo
Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Floating Button
Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: Timed Popup WordPress Plugin
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Annual Archive
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MailUp newsletter sign-up form
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Core: WordPress MU
Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Vision – Interactive Image Map Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress
Vulnerability: Stored Cross-Site Scripting via Content Element ID
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version
Plugin: Booster for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version
Plugin: wpDataTables (Premium)
Vulnerability: Improper Access Control leading to Table Data Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Melapress File Monitor
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9.11
Recommended Action: Update to version 2.0.9.11, or a newer patched version
Plugin: RokIntroScroller
Vulnerability: Arbitrary File Upload
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: WP Upload Restriction
Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Database Peek
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: acf-frontend-display
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Administrator Z
Vulnerability: Unauthorized File Upload via ACF
Patched Version: 2022.9.29
Recommended Action: Update to version 2022.9.29, or a newer patched version
Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
Vulnerability: Cross-Site Request Forgery via cbb_submit_settings_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Total Donations
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Event Registration Calendar By vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: Cross-Site Scripting
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Open Redirect
Patched Version: 3.7.2.4
Recommended Action: Update to version 3.7.2.4, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Reflected Cross-Site Scripting via Referer
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version
Plugin: Waitlist Woocommerce ( Back in stock notifier )
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Authenticated (Admin+) Directory Traversal to Arbitrary File Deletion
Patched Version: 0.9.1.7
Recommended Action: Update to version 0.9.1.7, or a newer patched version
Plugin: gAppointments – Appointment booking addon for Gravity Forms
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version
Plugin: MP3-jPlayer
Vulnerability: Full Path Disclosure
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Vulnerability: Stored (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Cart66 Lite :: WordPress Ecommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.1.15
Recommended Action: Update to version 1.5.1.15, or a newer patched version
Plugin: Booking calendar, Appointment Booking System
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: I Recommend This
Vulnerability: SQL Injection
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: SQL Injection
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Vulnerability: Insecure Direct Object Reference
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version
Plugin: Nextend Social Login and Register
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Database Backup for WordPress
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: GD Star Rating
Vulnerability: Blind SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Search Exclude
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Zendesk Support for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version
Plugin: Forget About Shortcode Buttons
Vulnerability: Missing Authorization via fasc_buttons
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Tainacan
Vulnerability: Cross-Site Scripting
Patched Version: 0.18.10
Recommended Action: Update to version 0.18.10, or a newer patched version
Plugin: Five Minute Webshop
Vulnerability: Authenticated (Admin+) SQL Injection via orderby
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_option_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Core: WordPress
Vulnerability: Cache Poisoning
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.15, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4
Plugin: Media Library Assistant
Vulnerability: Remote Code Execution via tax_query, meta_query, date_query Parameters
Patched Version: 2.82
Recommended Action: Update to version 2.82, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Goods Catalog
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HDW WordPress Video Gallery
Vulnerability: Reflected Cross-Site Scripting via playlist parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation
Patched Version: 13.1.2
Recommended Action: Update to version 13.1.2, or a newer patched version
Plugin: SMS Alert Order Notifications – WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version
Plugin: Activity Log – Monitor & Record User Changes
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Quttera Web Malware Scanner
Vulnerability: Sensitive Data Exposure
Patched Version: 3.4.2.1
Recommended Action: Update to version 3.4.2.1, or a newer patched version
Plugin: Userback
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: WP Contact Slider – Slide Out Contact Form for WordPress to display Contact Form 7, Gravity Forms, WP Forms, Ninja Forms, plain text/HTML & other shortcodes
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: 001 Prime Strategy Translate Accelerator
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Manager
Vulnerability: Missing Authorization to Arbitrary Popup Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Activity Reactions For Buddypress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Activity Log – Monitor & Record User Changes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Ultimate Product Catalog
Vulnerability: SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Simple CSV/XLS Exporter
Vulnerability: CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection
Vulnerability: Hidden Login Bypass
Patched Version: 7.9.1
Recommended Action: Update to version 7.9.1, or a newer patched version
Plugin: Rich Table of Contents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Code Snippets Extended
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Content Repeater – Custom Posts Simplified
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Widget
Patched Version: 1.8.19
Recommended Action: Update to version 1.8.19, or a newer patched version
Plugin: JetWidgets For Elementor
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: MagicForm
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Symposium
Vulnerability: Blind SQL Injection
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version
Plugin: Booster Plus for WooCommerce
Vulnerability: Cross-Site Request Forgery leading to Arbitrary Custom Role Creation/Deletion
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version
Plugin: wpShopGermany – Protected Shops
Vulnerability: Protected Shops <= 2.0
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: 1.9.11
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Flowplayer Video Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: WordPress Poll
Vulnerability: SQL Injection
Patched Version: 34.06
Recommended Action: Update to version 34.06, or a newer patched version
Plugin: Universal Star Rating
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: WTI Like Post
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: CM Download Manager – Document and File Management
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.185.1
Recommended Action: Update to version 5.185.1, or a newer patched version
Plugin: iQ Block Country
Vulnerability: Admin+ Arbitrary File Deletion via Zip Slip
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: TagGator
Vulnerability: SQL Injection
Patched Version: 1.33
Recommended Action: Update to version 1.33, or a newer patched version
Plugin: WP Cumulus
Vulnerability: Sensitive Information Exposure
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version
Plugin: Twitter Cards Meta – Best Twitter Card Plugin for WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: Adapta RGPD
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: Cross-Site Scripting
Patched Version: 8.0.08
Recommended Action: Update to version 8.0.08, or a newer patched version
Plugin: Church Admin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version
Plugin: wpShopGermany IT-RECHT KANZLEI
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: WP Favorite Posts
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: Simple Job Board
Vulnerability: Missing Authorization
Patched Version: 2.10.6
Recommended Action: Update to version 2.10.6, or a newer patched version
Core: WordPress
Vulnerability: Missing Authorization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: WordPress Responsive Preview
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated Open Redirect
Patched Version: 3.3.19.1
Recommended Action: Update to version 3.3.19.1, or a newer patched version
Plugin: Auto Featured Image (Auto Post Thumbnail)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via import
Patched Version: 3.6.11
Recommended Action: Update to version 3.6.11, or a newer patched version
Plugin: Transposh WordPress Translation
Vulnerability: Unauthorized Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: cformsII
Vulnerability: Arbitrary File Upload
Patched Version: 14.8
Recommended Action: Update to version 14.8, or a newer patched version
Plugin: WDSocialWidgets
Vulnerability: SQL Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Banner Management For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: simpleflickr
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RokStories
Vulnerability: Full Path Disclosure
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version
Plugin: WP BaiDu Submit
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery PhotoBlocks
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Authenticated Stored Cross-Site Scripting via Title & Description
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.11.1
Recommended Action: Update to version 2.7.11.1, or a newer patched version
Plugin: BackUpWordPress
Vulnerability: Remote File Inclusion
Patched Version: 0.4.3
Recommended Action: Update to version 0.4.3, or a newer patched version
Plugin: Simple Quotation
Vulnerability: SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 301 Redirects – Easy Redirect Manager
Vulnerability: Easy Redirect Manager <= 2.72
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version
Plugin: Testimonial WordPress Plugin – AP Custom Testimonial
Vulnerability: SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: WPPizza – A Restaurant Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.17.2
Recommended Action: Update to version 3.17.2, or a newer patched version
Plugin: Crayon Syntax Highlighter
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: WP Maintenance Mode & Site Under Construction
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: MainWP Maintenance Extension
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: Like Button Rating ♥ LikeBtn
Vulnerability: Arbitrary Settings Change
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: WP Brutal AI
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version
Plugin: wp-live-chat-support-pro
Vulnerability: Arbitrary File Upload
Patched Version: 8.0.27
Recommended Action: Update to version 8.0.27, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version
Plugin: Push Notification for Post and BuddyPress
Vulnerability: Missing Authorization to Unauthenticated Admin Notice Dismissal
Patched Version: 1.64
Recommended Action: Update to version 1.64, or a newer patched version
Plugin: HTML5 SoundCloud Player with Playlist Free
Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Missing Authorization to Vote Tampering
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘pages’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Protect WP Admin
Vulnerability: Unauthenticated Plugin Deactivation
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Image Gallery – Responsive Photo Gallery
Vulnerability: Responsive Photo Gallery <= 1.7.0
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: WP People
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Field Template
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Coupon Tab for DirectoryPress (pp-coupon-tab)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons
Vulnerability: Missing Authorization via multiple admin_init actions
Patched Version: 1.30.1
Recommended Action: Update to version 1.30.1, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Missing Authorization to Arbitrary User Deletion
Patched Version: 3.8.1.3
Recommended Action: Update to version 3.8.1.3, or a newer patched version
Plugin: new-year-firework
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via accessibility-helper Title
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4
Plugin: Login with TOTP (Google Authenticator, Microsoft Authenticator)
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Authenticated (Admin+) Cross Site Scripting (XSS)
Patched Version: 1.5.49
Recommended Action: Update to version 1.5.49, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Slick Contact Forms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: spider-calendar
Vulnerability: Multiple Vulnerabilities
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.41
Recommended Action: Update to one of the following versions, or a newer patched version: 3.2.41, 3.2.5
Plugin: Dashicons + Custom Post Types
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Smart Import : Import any XML File to WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: WP LESS to CSS
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Register Plus
Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form 7 Database Addon – CFDB7
Vulnerability: SQL Injection
Patched Version: 1.2.5.4
Recommended Action: Update to version 1.2.5.4, or a newer patched version
Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Securimage-WP
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Donation Plugin <= 2.33.0
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version
Plugin: WordPress Flipbook by Supsystic
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet
Vulnerability: Paid Author Subscriptions, Content, Downloads, Membership <= 1.9.5
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version
Plugin: Geo Controller
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.12
Recommended Action: Update to version 7.13.12, or a newer patched version
Plugin: The Events Calendar
Vulnerability: Cross-Site Scripting via tribe_paged Parameter
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version
Plugin: LearnDash LMS
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 4.6.0.1
Recommended Action: Update to version 4.6.0.1, or a newer patched version
Plugin: Elements For Elementor
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: DiveBook
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fancy Product Designer
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: SQL Injection
Patched Version: 7.3.19.727
Recommended Action: Update to version 7.3.19.727, or a newer patched version
Plugin: Events
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Vulnerability: Sensitive Information Exposure
Patched Version: 20.5.4
Recommended Action: Update to version 20.5.4, or a newer patched version
Plugin: Football Pool
Vulnerability: Cross-Site Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: GetResponse for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.21
Recommended Action: Update to version 5.5.21, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Ultimate Appointment Booking & Scheduling
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version
Plugin: Contact Form Builder by vcita
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version
Plugin: Gravity Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: Ubigeo de Perú para Woocommerce y WordPress
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version
Plugin: Classified Listing – Classified ads & Business Directory Plugin
Vulnerability: Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability: Multiple SQL Injection
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.94
Recommended Action: Update to version 3.3.94, or a newer patched version
Plugin: Advance Search for WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: aBitGone CommentSafe
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version
Plugin: WP Private Content Plus
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: BuddyPress Builder for Elementor – BuddyBuilder
Vulnerability: BuddyPress Builder for Elementor <= 1.7.3
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: LIQUID SPEECH BALLOON
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: Custom Sidebars – Dynamic Sidebar Widget Area Manager
Vulnerability: Reflected Cross Site Scripting
Patched Version: 2.1.0.2
Recommended Action: Update to version 2.1.0.2, or a newer patched version
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.45
Recommended Action: Update to version 3.3.45, or a newer patched version
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version
Plugin: Creative Mail – Easier WordPress & WooCommerce Email Marketing
Vulnerability: Cross-Site Request Forgery to Plugin Deactivation
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Custom Post Type Generator
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Subpages Extended
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Analytics Insights – Google Analytics Dashboard for WordPress
Vulnerability: Open Redirect
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version
Plugin: Meks Easy Photo Feed Widget
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Tune Library
Vulnerability: SQL Injection
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Schema – All In One Schema Rich Snippets
Vulnerability: All In One Schema Rich Snippets <= 1.6.5
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting via Network Settings Page
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Delete Usermetas
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Featured Comments
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: SEO Plugin LiveOptim
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: File Upload Path Traversal
Patched Version: 1.5.75
Recommended Action: Update to version 1.5.75, or a newer patched version
Plugin: Super Store Finder
Vulnerability: Arbitrary File Upload
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version
Plugin: Real Testimonials – Testimonial Slider, Carousel, Grid | Collect Customer Reviews and Video Testimonial with Testimonial Form | Social Proof Reviews and Review Slider
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Price Table
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Custom Settings
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Security Question
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin
Vulnerability: Server-Side Request Forgery
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version
Plugin: Brandfolder – Digital Asset Management Simplified.
Vulnerability: Local/Remote File Inclusion
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: AB Google Map Travel (AB-MAP)
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Portfolio Responsive Gallery
Vulnerability: Blind SQL Injection
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Add Local Avatar
Vulnerability: Cross-Site Request Forgery via manage_avatar_cache
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Authenticated Privilege Escalation
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Missing Authorization Checks
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Forym
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version
Plugin: Page Builder with Image Map by AZEXO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
Vulnerability: Missing Authorization
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Custom Searchable Data Entry System
Vulnerability: Unauthenticated Database Wiping
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GoHero Store Customizer for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Getnet Argentina para WooCommerce
Vulnerability: 0.0.4
Patched Version: 0.0.5
Recommended Action: Update to version 0.0.5, or a newer patched version
Plugin: Captchinoo, admin login page protection with Google recaptcha
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection
Vulnerability: Missing Capabilities Check
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Missing Authorization to Admin Account and Ticket Creation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: WordPress to Freshsales Integration
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version
Plugin: HTML5 Responsive FAQ
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version
Core: WordPress
Vulnerability: Arbitrary Page Modification
Patched Version: 3.7.18
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.18, 3.8.18, 3.9.16, 4.0.15, 4.1.15, 4.2.12, 4.3.8, 4.4.7, 4.5.6, 4.6.3, 4.7.2
Plugin: Material Design Icons for Page Builders
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Cross-Site Request Forgery to Transient Cache Clearing
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version
Plugin: External Links in New Window / New Tab
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version
Plugin: FileBird – WordPress Media Library Folders & File Manager
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version
Plugin: Export All URLs
Vulnerability: Arbitrary File Deletion
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Kraken.io Image Optimizer
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.8.1
Recommended Action: Update to version 3.2.8.1, or a newer patched version
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.9.6
Recommended Action: Update to version 5.9.6, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authorization Bypass
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version
Plugin: WPFrom Email
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: Csv2WPeC Coupon
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CardGate Payments for WooCommerce
Vulnerability: Lack of Origin Validation
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version
Plugin: Schedulicity – Easy Online Scheduling
Vulnerability: Easy Online Scheduling <= 2.21
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: History Collection
Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1
Plugin: WP Customer Reviews
Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version
Plugin: WHMCS Bridge
Vulnerability: No subtitle
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: CP Image Store with Slideshow
Vulnerability: Arbitrary File Download
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.7
Recommended Action: Update to version 6.2.7, or a newer patched version
Plugin: Mailtree Log Mail
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: yurl-retwitt
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Add Post URL
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TablePress – Tables in WordPress made easy
Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: DoLogin Security
Vulnerability: Missing Authorization on Dashboard Widget
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version
Plugin: Contact Form 7 Captcha
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version
Plugin: IP Blacklist Cloud
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Frontier Post
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version
Plugin: WP Roadmap – Product Feedback Board
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Inline Related Posts
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Fancy Comments WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: SVG Support
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Enhanced Text Widget
Vulnerability: Missing Authorization via etw_hide_admin_notification_callback
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: CSV Importer
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.9
Recommended Action: Update to version 0.3.9, or a newer patched version
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: No subtitle
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: Social Media Widget by Acurax
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Astra Bulk Edit
Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Peadig's Twitter Feed: Embedded Timeline WordPress Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GD bbPress Attachments
Vulnerability: Directory Traversal
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Nimble Page Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Local File Inclusion
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.56
Recommended Action: Update to version 0.9.56, or a newer patched version
Plugin: Fancy Gallery – WordPress plugin | Galleries
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Unauthenticated Information Disclosure
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Slideshow
Vulnerability: Cross-Site Scripting and Sensitive Information Disclosure
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version
Plugin: Chatbot with IBM watsonx Assistant
Vulnerability: Cross-Site Scripting
Patched Version: 0.8.21
Recommended Action: Update to version 0.8.21, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Server-Side Request Forgery
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: Post Grid and Gutenberg Blocks – ComboBlocks
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Really Simple Guest Post
Vulnerability: Local File Inclusion
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Super Store Finder
Vulnerability: SQL Injection
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version
Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2021.9
Recommended Action: Update to version 2021.9, or a newer patched version
Plugin: WordPress Countdown Widget
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version
Plugin: WPCHURCH – Church Management System for WordPress
Vulnerability: Church Management System for WordPress Theme < 13-07-2019
Patched Version: 13-07-2019
Recommended Action: Update to version 13-07-2019, or a newer patched version
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version
Plugin: Auto Rename Media On Upload
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Arbitrary Booking Update and Sensitive Data Exposure
Patched Version: 1.0.49
Recommended Action: Update to version 1.0.49, or a newer patched version
Plugin: VS Contact Form
Vulnerability: Captcha Bypass
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version
Plugin: Update Image Tag Alt Attribute
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Appointment Booking Calendar
Vulnerability: CSV Injection
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
Patched Version: 3.4.34
Recommended Action: Update to version 3.4.34, or a newer patched version
Plugin: XEN Carousel
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Email Users
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.3
Recommended Action: Update to version 4.8.3, or a newer patched version
Plugin: FormCraft – Form Builder
Vulnerability: Missing Authorization via formcraft_nag_update
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Portfolio Gallery – Image Gallery Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Twimp WP
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Loan Comparison
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: WP fancybox
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Follow Me Plugin
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Visual CSS Style Editor
Vulnerability: Reflected Cross-Site Scripting via wyp_page_type parameter
Patched Version: 7.5.4
Recommended Action: Update to version 7.5.4, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Arbitrary File Upload
Patched Version: 7.0.2
Recommended Action: Update to version 7.0.2, or a newer patched version
Plugin: JetBlocks for Elementor
Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.3.8.1
Recommended Action: Update to version 1.3.8.1, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_save_state
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: WP Accessibility Helper (WAH)
Vulnerability: Reflected Cross-Site Scripting via wahi
Patched Version: 0.6.0.7
Recommended Action: Update to version 0.6.0.7, or a newer patched version
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version
Plugin: Accessibility
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Team Circle Image Slider With Lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version
Plugin: Gallery – Image and Video Gallery with Thumbnails
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: Advanced Order Export For WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: Google Maps made Simple
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Steveas WP Live Chat Shoutbox
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Cross-Site Request Forgery via ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Perfect Survey
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Create Block Theme
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: WP Offload SES Lite
Vulnerability: Interpretation Conflict
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools
Vulnerability: Missing Authorization
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Opal Estate
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Stripe Payment Plugin for WooCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version
Plugin: Powerplay Gallery
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.11.3.4
Recommended Action: Update to version 4.11.3.4, or a newer patched version
Plugin: Extra Block Design, Style, CSS for ANY Gutenberg Blocks
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.7
Recommended Action: Update to version 0.2.7, or a newer patched version
Plugin: Parsian Bank Gateway for Woocommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.22.3
Recommended Action: Update to version 1.22.3, or a newer patched version
Plugin: AmpedSense – AdSense Split Tester
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Feedweb
Vulnerability: Missing Authorization
Patched Version: 3.0.11
Recommended Action: Update to version 3.0.11, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting via plupload.flash.swf
Patched Version: 3.7.14
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.14, 3.8.14, 3.9.12, 4.0.11, 4.1.11, 4.2.8, 4.3.4, 4.4.3, 4.5.2
Plugin: Welcart e-Commerce
Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 2.9.7
Recommended Action: Update to version 2.9.7, or a newer patched version
Plugin: Affiliate Power – Sales Tracking for Affiliate Marketers
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Content Mask
Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 1.8.4.1
Recommended Action: Update to version 1.8.4.1, or a newer patched version
Plugin: ConvertPlus
Vulnerability: Unauthenticated Administrator Creation
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Stream
Vulnerability: Admin+ SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: Radio Buttons for Taxonomies
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more
Vulnerability: Authenticator (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Portfolio Slideshow
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version
Plugin: Custom Post Type and Taxonomy GUI Manager
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Visual Composer Website Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Title’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version
Plugin: Accordion
Vulnerability: Unprotected AJAX Action to Stored/Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: PICA Photo Gallery
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Embed Privacy
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Core: WordPress MU
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.5a
Recommended Action: Update to version 1.2.5a, or a newer patched version
Plugin: WordPress Simple HTML Sitemap
Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: WPtouch – Make your WordPress Website Mobile-Friendly
Vulnerability: Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version
Plugin: LiteSpeed Cache
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version
Plugin: Accept Stripe Donation and Payments – AidWP
Vulnerability: Cross Site Request Forgery
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP
Vulnerability: Broadcast Live Video <= 5.5.15
Patched Version: 5.5.16
Recommended Action: Update to version 5.5.16, or a newer patched version
Plugin: Essential Real Estate
Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Web Invoice – Invoicing and billing for WordPress
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms
Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Invitation Based Registrations
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross-Site Request Forgery via handleSubmitAction function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Grou Random Image Widget
Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Profile & Dashboard fields [Modify/Disable/Remove]
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version
Plugin: WooCommerce Anti-Fraud
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Image News Slider
Vulnerability: Unspecified Vulnerability
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Cross-Site Request Forgery via handle_optin_optout()
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: Newsletter Popup
Vulnerability: Cross-Site Request Forgery to Record Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Import and export users and customers
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.19.2.1
Recommended Action: Update to version 1.19.2.1, or a newer patched version
Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress
Vulnerability: Authorization Bypass
Patched Version: 3.83
Recommended Action: Update to version 3.83, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Authenticated Arbitrary File Read
Patched Version: 0.9.71
Recommended Action: Update to version 0.9.71, or a newer patched version
Plugin: WooCommerce EAN Payment Gateway
Vulnerability: Missing Authorization to Authenticated (Contributor+) EAN Update
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: SQL Injection
Patched Version: 2.05.03
Recommended Action: Update to version 2.05.03, or a newer patched version
Core: WordPress
Vulnerability: Improper Authorization to Information Disclosure
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Media Library Categories
Vulnerability: Unauthenticated Multiple Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Flipbook by Supsystic
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: Automated Editor
Vulnerability: Cross-Site Request Forgery via admin menu pages
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Original Media Path
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: WP Custom Cursors | WordPress Cursor Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Wp Cookie Choice
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: which template file
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version
Plugin: Easy Newsletter Signups
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Batch Cat
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iPages Flipbook For WordPress
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version
Plugin: 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件
Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Popup Box (Developer) – Create Countdown, Coupon, Video, Contact Form Popups
Vulnerability: 7.9.0) and Developer (20.0.0
Patched Version: 20.9.0
Recommended Action: Update to version 20.9.0, or a newer patched version
Plugin: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping
Vulnerability: Cross-Site Request Forgery via enableDisable and deletePost
Patched Version: 1.6.4.6
Recommended Action: Update to version 1.6.4.6, or a newer patched version
Plugin: Advanced Custom Fields: Image Crop Add-on
Vulnerability: Improper Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Arigato Autoresponder and Newsletter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version
Plugin: Read More Excerpt Link
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Beebee Mini
Vulnerability: Unauthorized File Upload via ACF
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version
Plugin: Link Library
Vulnerability: Missing Authorization Checks
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version
Plugin: WP FullCalendar
Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Force First and Last Name as Display Name
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: WP OAuth Server (OAuth Authentication)
Vulnerability: Authenticated (Subscriber+) Arbitrary Client Deletion (wo_ajax_remove_client)
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Comment Reply Notification
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Open Graph and Twitter Card Tags
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.4.1
Recommended Action: Update to version 2.2.4.1, or a newer patched version
Plugin: WP Background Takeover
Vulnerability: Directory Traversal
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Easy Preloader
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Songbook
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blog2Social: Social Media Auto Post & Scheduler
Vulnerability: Authenticated SQL Injection
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: Shortlink by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Admin Management Xtended
Vulnerability: Cross-Site Request Forgery to Post Status Update
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version
Plugin: Shortcode Redirect
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.02
Recommended Action: Update to version 1.0.02, or a newer patched version
Core: WordPress
Vulnerability: Open Redirect
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: WP Symposium
Vulnerability: Cross-Site Scripting
Patched Version: 13.04
Recommended Action: Update to version 13.04, or a newer patched version
Plugin: Mingle Forum
Vulnerability: SQL Injection
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version
Plugin: User Email Verification for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.7.2
Recommended Action: Update to version 3.0.7.2, or a newer patched version
Plugin: Nelio AB Testing
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version
Plugin: Ultimate Product Catalog
Vulnerability: SQL Injection
Patched Version: 4.2.23
Recommended Action: Update to version 4.2.23, or a newer patched version
Plugin: HandL UTM Grabber / Tracker
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Simple Membership
Vulnerability: Membership Privilege Escalation
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Voting Record
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tiger Forms – Drag and Drop Form Builder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 13.0.6
Recommended Action: Update to version 13.0.6, or a newer patched version
Plugin: History Log by click5
Vulnerability: Authenticated(Administrator+) Time-Based Blind SQL Injection
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version
Plugin: Ultimate Product Catalog
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version
Plugin: WP-FormAssembly
Vulnerability: Limited Server Side Request Forgery via ‘formassembly’ shortcode
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Easy Newsletter Signups
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StoryChief
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version
Plugin: Themify – WooCommerce Product Filter
Vulnerability: WooCommerce Product Filter <= 1.3.7
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Sp*tify Play Button for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version
Plugin: MailPoet Newsletters (Previous)
Vulnerability: Multiple SQL Injections
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: WP PDF Generator
Vulnerability: Cross-Site Request Forgery to PDF Settings Update
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Privilege Escalation
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version
Plugin: Ripe HD FLV
Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs
Vulnerability: Cross Site Request Forgery
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version
Plugin: Code Snippets
Vulnerability: Cross-Site Request Forgery via load
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version
Plugin: Image horizontal reel scroll slideshow
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 13.4
Recommended Action: Update to version 13.4, or a newer patched version
Core: WordPress
Vulnerability: Denial of Service
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Export any WordPress data to XML/CSV
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Woo MerchantX
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: Search in Place
Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.0.105
Recommended Action: Update to version 1.0.105, or a newer patched version
Plugin: Oi Yandex.Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smooth Page Scroll Up/Down Buttons
Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Slider Revolution
Vulnerability: Missing Authorization to Arbitrary File Upload
Patched Version: 3.0.96
Recommended Action: Update to version 3.0.96, or a newer patched version
Plugin: SAHU TikTok Pixel for E-Commerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wp-championship
Vulnerability: SQL Injection
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version
Plugin: WP YouTube Lyte
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.7.16
Recommended Action: Update to version 1.7.16, or a newer patched version
Plugin: Send PDF for Contact Form 7
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version
Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: WPS Limit Login
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version
Plugin: Page Builder by SiteOrigin
Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 2.10.16
Recommended Action: Update to version 2.10.16, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Missing Authorization via ‘start_staging’ and ‘get_staging_progress’
Patched Version: 0.9.91
Recommended Action: Update to version 0.9.91, or a newer patched version
Plugin: Global Content Blocks
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Missing Authorization
Patched Version: 2.5.4.4
Recommended Action: Update to version 2.5.4.4, or a newer patched version
Plugin: Photo Gallery by Supsystic
Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version
Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.29.1
Recommended Action: Update to version 3.29.1, or a newer patched version
Plugin: Easy Digital Downloads – Per Product Emails
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Core: WordPress
Vulnerability: Authorization Bypass
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portfolio and Projects
Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Redirection
Vulnerability: Cross-Site Request Forgery via ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization via ajax_unassign_folders
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Simple Backup
Vulnerability: Arbitrary File Download via Path Traversal
Patched Version: 2.7.11
Recommended Action: Update to version 2.7.11, or a newer patched version
Plugin: Houzez Login Register
Vulnerability: Privilege Escalation
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: WP Crowdfunding
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Klaviyo
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version
Plugin: Pay with Vipps and MobilePay for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version
Plugin: Real-Time Find and Replace
Vulnerability: Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version
Plugin: Simple Page Ordering
Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: Trustprofile and reviews for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.25
Recommended Action: Update to version 3.25, or a newer patched version
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Missing Authorization to Update License
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Image News Slider
Vulnerability: Arbitrary File Upload
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Contact Form 7 Style
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: PHP Object Injection
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Constant Contact Forms
Vulnerability: Information Disclosure via Log Files
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Shortcodes Finder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Eventr
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Link Whisper Free
Vulnerability: Missing Authorization via init()
Patched Version: 0.6.4
Recommended Action: Update to version 0.6.4, or a newer patched version
Plugin: CRM: Contact Management Simplified – UkuuPeople
Vulnerability: Cross-Site Request Forgery to Favorite Addition/Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Marketing Performance
Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Missing Authorization in ‘startProcess’ to Arbitrary Redirect via ‘update_link_redirect’ task
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version
Plugin: Bg Bible References
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Yoo Slider – Image Slider & Video Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Email download link
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO Redirection Plugin – 301 Redirect Manager
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version
Plugin: Analytics Cat – Google Analytics Made Easy
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Maintenance Mode by Supsystic
Vulnerability: Cross Site Request Forgery
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version
Plugin: RESPONSIVE 3D SLIDER
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version
Plugin: JSmol2WP
Vulnerability: Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Analyticator
Vulnerability: Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version
Plugin: Product List / Grid View for Woocommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Author Box
Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version
Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More
Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: One Click SSL
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Order Notification for WooCommerce – Get Audio Alert on new Orders
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: Interactive Medical Drawing of Human Body
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version
Plugin: Portfolio Gallery – Responsive Image Gallery
Vulnerability: Missing Authorization to Arbitrary Gallery Deletion
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: Remove CPT base
Vulnerability: Cross-Site Request Forgery to CPT base deletion
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: We’re Open!
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version
Plugin: WPJAM Basic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.2.1.1
Recommended Action: Update to version 6.2.1.1, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Student+) SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: SEO Smart Links
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Booking Calendar
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 9.4.3.1
Recommended Action: Update to version 9.4.3.1, or a newer patched version
Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version
Plugin: WP Cerber Security, Anti-spam & Malware Scan
Vulnerability: User Enumeration Bypass via REST API
Patched Version: 9.3.3
Recommended Action: Update to version 9.3.3, or a newer patched version
Plugin: WP Food Manager – Restaurant Menu & Online Food Ordering for WooCommerce – Food Delivery & Pickup – Table Reservation
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version
Plugin: wp2syslog
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NOTICE BOARD
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Crontrol
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: WP Symposium
Vulnerability: Cross-Site Scripting
Patched Version: 11.12.08
Recommended Action: Update to version 11.12.08, or a newer patched version
Plugin: Post State Tags
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clockwork SMS Notfications
Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Caldera Forms – More Than Contact Forms
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Wise Chat
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Alojapro Booking Engine
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version
Core: WordPress
Vulnerability: Privilege Escalation
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: BA Plus – Before & After Image Slider FREE
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version
Plugin: PixTypes
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version
Plugin: Process Steps Template Designer
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Membership For WooCommerce – SIMPLE MEMBERSHIP PLANS, RECURRING REVENUE, USER PROFILES & SIGNUPS, CONTENT RESTRICTIONS, AND MEMBER LEVELS WITH WOOCOMMERCE MEMBERSHIP
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: Checkout with Zelle on Woocommerce
Vulnerability: Missing Authorization
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Core: WordPress
Vulnerability: SQL Injection
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: Leaky Paywall
Vulnerability: No subtitle
Patched Version: 4.16.6
Recommended Action: Update to version 4.16.6, or a newer patched version
Plugin: Ajax Search Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Stock Manager for WooCommerce
Vulnerability: Authorization Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version
Plugin: Simple Telegram
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Embed PDF
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Security Optimizer – The All-In-One Protection Plugin
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Appointments Scheduler
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PPOM – Product Addons & Custom Fields for WooCommerce
Vulnerability: Arbitrary File Upload
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Foliopress WYSIWYG
Vulnerability: Cross-Site Scripting
Patched Version: 2.6.16
Recommended Action: Update to version 2.6.16, or a newer patched version
Plugin: Post Comments as bbPress Topics
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: Theme Switcha – Easily Switch Themes for Development and Testing
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Podcast Importer SecondLine
Vulnerability: SQL Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: My WP Translate
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Bootstrap Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPML
Vulnerability: Reflected Cross-Site Scripting via wp_lang
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version
Plugin: bbPress Move Topics
Vulnerability: PHP Object Injection
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Rise Blocks – A Complete Gutenberg Page Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: GuruWalk Affiliates
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Missing Authorization
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version
Plugin: Blogroll Fun – Show Last Post and Last Update Time
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.5
Recommended Action: Update to version 0.8.5, or a newer patched version
Core: WordPress
Vulnerability: Information Disclosure
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1
Plugin: WP Meteor Website Speed Optimization Addon
Vulnerability: No subtitle
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Simple Security
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: WooCommerce Bookings
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.15.79
Recommended Action: Update to version 1.15.79, or a newer patched version
Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0.11
Recommended Action: Update to version 1.7.0.11, or a newer patched version
Plugin: Orange Form
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP LINE Notify
Vulnerability: Reflected Cross-Site Scripting via ‘uid’
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Newsletter Popup
Vulnerability: Unauthenticted Stored Cross-Site Scripting via ‘nl_data’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Passster – Password Protect Pages and Content
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.5.8
Recommended Action: Update to version 3.5.5.8, or a newer patched version
Plugin: YITH WooCommerce Gift Cards Premium
Vulnerability: Arbitrary File Upload
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in multiple functions in admin/controller.php
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Eonet Manual User Approve
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Preview Link Generator
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Sensitive Data Exposure
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version
Plugin: WassUp Real Time Analytics
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: Transbank Webpay
Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version
Plugin: Announce from the Dashboard
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Donations
Vulnerability: Unauthenticated Arbitrary Options Change
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Cross-Site Request Forgery leading to attachment deletion & Path Traversal
Patched Version: 1.14.2.2
Recommended Action: Update to version 1.14.2.2, or a newer patched version
Plugin: WP-PostRatings
Vulnerability: SQL Injection
Patched Version: 1.62
Recommended Action: Update to version 1.62, or a newer patched version
Plugin: Page View Count
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: WP-chgFontSize
Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Pricing Table
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version
Plugin: Bonus for Woo
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version
Plugin: multi-plugin-installer
Vulnerability: Arbitrary File Read
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: MapifyLite (by MapifyPro)
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Redux Framework
Vulnerability: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version
Plugin: Blog Floating Button
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version
Plugin: Grab & Save
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Add Edit Delete Listing Module
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce Order address Print
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Comments Ratings
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: SpiderVPlayer
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Countdown Widget
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version
Plugin: ImageInject
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version
Plugin: IP2Location Country Blocker
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.26.9
Recommended Action: Update to version 2.26.9, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting via Media Uploads
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Yellow Swordfish Simple Forum
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RB Internal Links
Vulnerability: Cross-Site Request Forgery to Settings update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPGraphQL
Vulnerability: Unauthenticated Comment Creation
Patched Version: 0.3.0
Recommended Action: Update to version 0.3.0, or a newer patched version
Plugin: Post Status Notifier Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.1
Recommended Action: Update to version 1.10.1, or a newer patched version
Plugin: Request a Quote
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: Testimonial – WordPress Testimonial Showcase Plugin Grid Plus Testimonial Slider
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Cross-Site Request Forgery to Stripe Integration Deletion
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version
Plugin: Chronoforms
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Waitlist Woocommerce ( Back in stock notifier )
Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Slider Factory – Responsive Photo Slider, Image Slider, Video Slider, Carousel Slideshow
Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: WHOIS
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Login History
Vulnerability: SQL Injection via Order By
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: WP Social Sharing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Timeline Calendar
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Database Administrator
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: Event Registration
Vulnerability: PHP Object Injection
Patched Version: 6.03.01
Recommended Action: Update to version 6.03.01, or a newer patched version
Plugin: vodpod-video-gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: OAuth Client by DigitialPixies
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio
Vulnerability: SQL Injection
Patched Version: 2.53
Recommended Action: Update to version 2.53, or a newer patched version
Plugin: InPost Gallery
Vulnerability: Local File Inclusion
Patched Version: 2.1.4.1
Recommended Action: Update to version 2.1.4.1, or a newer patched version
Plugin: Note Press
Vulnerability: Authenticated (Admin+) SQL Injection via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hide My WP – Amazing Security Plugin for WordPress!
Vulnerability: Cross-Site Scripting
Patched Version: 4.52
Recommended Action: Update to version 4.52, or a newer patched version
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Subscriber+ SQL Injection
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Gmedia Photo Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.18.5
Recommended Action: Update to version 1.18.5, or a newer patched version
Plugin: WP Intercom – Slack for WordPress
Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: E-Search
Vulnerability: Reflected Cross-Site Scripting via title_az parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Privilege Escalation
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 6.15.15.3
Recommended Action: Update to version 6.15.15.3, or a newer patched version
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Missing Authorization in ‘clear_page_cache’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Branded Social Images – Open Graph Images with logo and extra text layer
Vulnerability: Missing Authorization leading to Unauthenticated Plugin Settings Updates
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: cforms
Vulnerability: Cross-Site Scripting
Patched Version: 10.2
Recommended Action: Update to version 10.2, or a newer patched version
Plugin: Random image gallery with pretty photo zoom
Vulnerability: DOM Cross-Site Scripting
Patched Version: 7.5
Recommended Action: Update to version 7.5, or a newer patched version
Plugin: WP eCommerce Shop Styling
Vulnerability: Directory Traversal
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: SendPress Newsletters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Manager
Vulnerability: Authenticated File Upload
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: NewStatPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
Vulnerability: Remote Code Execution
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Image Metadata Cruncher
Vulnerability: Reflected Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.99
Recommended Action: Update to version 0.99, or a newer patched version
Plugin: Ultimate Product Catalog
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Reflected Cross-Site Scripting via section_id
Patched Version: 5.2.4.2
Recommended Action: Update to version 5.2.4.2, or a newer patched version
Plugin: WordPress Poll
Vulnerability: SQL Injection
Patched Version: 34.06
Recommended Action: Update to version 34.06, or a newer patched version
Core: WordPress
Vulnerability: Media Related Security Issue
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: WP Responsive Menu
Vulnerability: Missing Authorization to Settings Update & Stored Cross-Site Scripting
Patched Version: 3.1.7.1
Recommended Action: Update to version 3.1.7.1, or a newer patched version
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Missing Authorization to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: WordPress Shout Box Widget
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP eCommerce
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.8.7.2
Recommended Action: Update to version 3.8.7.2, or a newer patched version
Plugin: Headless CMS
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All Users Messenger
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rate My Post – Star Rating Plugin by FeedbackWP
Vulnerability: IP Address Spoofing
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: PDF Invoices & Packing Slips for WooCommerce
Vulnerability: Cross Site Request Forgery
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: WP Jump Menu
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pricing Table by Supsystic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: AntiVirus
Vulnerability: Full Path Disclosure
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: WP YouTube Live
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version
Plugin: The Buffer Button
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Email
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.38
Recommended Action: Update to version 1.3.38, or a newer patched version
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.22
Recommended Action: Update to version 5.22, or a newer patched version
Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Vulnerability: WooCommerce Multivendor Marketplace <= 3.4.11
Patched Version: 3.4.12
Recommended Action: Update to version 3.4.12, or a newer patched version
Plugin: Better Font Awesome
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Adaptive Images for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.69
Recommended Action: Update to version 0.6.69, or a newer patched version
Plugin: Dialogs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Validation Bypass via Email Field
Patched Version: 3.4.27.1
Recommended Action: Update to version 3.4.27.1, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.16
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.16, 3.8.16, 3.9.14, 4.0.13, 4.1.13, 4.2.10, 4.3.6, 4.4.5, 4.5.4, 4.6.1
Plugin: Support Board
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Comment Guestbook
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Vulnerability: Authenticated (Vendor+) Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version
Plugin: Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: SpiderCalendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.65
Recommended Action: Update to version 1.6.65, or a newer patched version
Plugin: Local Weather
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LWS Tools
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: WPBakery Page Builder Clipboard
Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version
Plugin: miwoftp
Vulnerability: Arbitrary File Download
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via Plugin Names
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2
Plugin: Newsletter – Send awesome emails from WordPress
Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.7.7
Recommended Action: Update to version 6.7.7, or a newer patched version
Plugin: FormCraft
Vulnerability: Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Charts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FormBuilder
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Wp-Insert
Vulnerability: Arbitrary File Upload
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Slider Hero with Video Background, Animation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.35
Recommended Action: Update to version 1.5.35, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Missing Authorization via CR_Manual
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version
Plugin: SearchWP Live Ajax Search
Vulnerability: Directory Traversal and Local File Inclusion
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.57
Recommended Action: Update to version 1.6.57, or a newer patched version
Plugin: Sermon Browser
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Server-Side Request Forgery
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1
Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.12.1
Recommended Action: Update to version 8.12.1, or a newer patched version
Plugin: MailPoet Newsletters (Previous)
Vulnerability: Authorization Bypass
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Privilege Escalation via updraft_central_ajax_handler
Patched Version: 1.23.3
Recommended Action: Update to one of the following versions, or a newer patched version: 1.23.3, 2.23.3
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.9
Recommended Action: Update to version 7.2.9, or a newer patched version
Plugin: Premium Addons for Elementor
Vulnerability: No subtitle
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version
Plugin: Posts to Page
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Read and Understood
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Contact Bank – Contact Form Builder for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.226
Recommended Action: Update to version 2.0.226, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version
Plugin: Shoppable Images
Vulnerability: Cross Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: WP Remote Users Sync
Vulnerability: Authenticated (Subscriber+) Server Side Request Forgery
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: Flexi – Guest Submit
Vulnerability: Guest Submit < 4.20
Patched Version: 4.20
Recommended Action: Update to version 4.20, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘notice’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: WP Remote Users Sync
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log View
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Plugin: Ultimate Reviews
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: SQL Injection
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: Improved user search in backend
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Advanced Order Export For WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Bootstrap Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Discussion Board – WordPress Forum Plugin
Vulnerability: Authenticated (Subscriber+) Content Injection
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: VigilanTor
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version
Plugin: HTML5 MP3 Player with Playlist Free
Vulnerability: Authenticated (Author+) PHP Object Injecton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Vulnerability: Insecure Direct Object Reference to Order Manipulation
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Timely Booking Button
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.9.44
Recommended Action: Update to version 2.9.44, or a newer patched version
Plugin: Event Tickets with Ticket Scanner
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Autolinks Manager – SEO Auto Linker
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.05
Recommended Action: Update to version 1.10.05, or a newer patched version
Plugin: WooCommerce
Vulnerability: Unauthorized Order Status Change
Patched Version: 3.5.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.5.10, 3.6.7, 3.7.3, 3.8.3, 3.9.5, 4.0.4, 4.1.4, 4.2.5, 4.3.6, 4.4.4, 4.5.5, 4.6.5, 4.7.4, 4.8.3, 4.9.5, 5.0.3, 5.1.3, 5.2.5, 5.3.3, 5.4.4, 5.5.4, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.1
Plugin: WooCommerce
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version
Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access via Shortcode
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version
Plugin: Redirection for Contact Form 7
Vulnerability: Authenticated Arbitrary Plugin Installation
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Memphis Documents Library
Vulnerability: Local File Inclusion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Vulnerability: Unprotected AJAX Actions
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Vulnerability: Missing Authorization on ‘load_hcaptcha_preview’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version
Plugin: Code Embed
Vulnerability: Authenticated(Contributor+) Denial of Service
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: Curtain
Vulnerability: Unauthenticated Maintenance Mode Enabled/Disable
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Webcam Video Conference
Vulnerability: Unrestricted File Upload leading to Remote Code Execuction
Patched Version: 4.91.9
Recommended Action: Update to version 4.91.9, or a newer patched version
Plugin: Post Connector
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Page Builder with Image Map by AZEXO
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Activity Log
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Core: WordPress
Vulnerability: Information Disclosure (Multi-Part Email Leak)
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Sign-up Sheets
Vulnerability: Authenticated CSV Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Mobile Address Bar Changer
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cost Calculator
Vulnerability: Authenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AdRotate Banner Manager – The only ad manager you'll need
Vulnerability: Authenticated Stored Cross-Site Scripting via Advert Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version
Plugin: Peter’s Random Anti-Spam Image
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Blog Grid & Post Grid – Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry, Category Post Grid By News & Blog Designer Pack
Vulnerability: Unauthenticated Remote Code Execution via Local File Inclusion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Chat Button & Custom ChatGPT-Powered Bot by GetButton.io
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.8.10
Recommended Action: Update to version 1.8.10, or a newer patched version
Plugin: DX-auto-save-images
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Web Instant Messenger
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kento Post View Counter
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Forms Puzzle Captcha
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Inactive User Deleter
Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.60
Recommended Action: Update to version 1.60, or a newer patched version
Plugin: Social Sharing Plugin – Kiwi
Vulnerability: Arbitrary Options Update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: Accept Stripe Payments
Vulnerability: Unauthenticated Content Injection
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version
Plugin: WassUp Real Time Analytics
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3.1
Recommended Action: Update to version 1.8.3.1, or a newer patched version
Plugin: YOP Poll
Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version
Plugin: cformsII
Vulnerability: Authenticated SQL Injection
Patched Version: 14.13
Recommended Action: Update to version 14.13, or a newer patched version
Plugin: WooCommerce Bulk Stock Management
Vulnerability: Cross-Site Scripting
Patched Version: 2.2.34
Recommended Action: Update to version 2.2.34, or a newer patched version
Plugin: Google Map Shortcode
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: PHAR Deserialization
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: Affiliate Ads for Clickbank Products
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Saan World Clock
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.21
Recommended Action: Update to version 4.3.21, or a newer patched version
Plugin: Simple Share Buttons Adder
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: WP Simple Booking Calendar
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.8.5
Recommended Action: Update to version 2.0.8.5, or a newer patched version
Plugin: wp tell a friend popup form
Vulnerability: Cross-Site Request Forgery via ‘TellAFriend_admin’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Checkout Files Upload for WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Slideshow
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GI-Media Library
Vulnerability: Directory Traversal
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: WP Table Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: Constant Contact Forms by MailMunch
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authentication Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Logo Slider
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Uninstall
Vulnerability: Cross-Site Request Forgery to Site Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version
Plugin: Simply Exclude
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Easy GA4 – Google Analytics WordPress Plugin
Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: WordPress Poll
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: Get your number
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Fotomoto
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ResponsiveVoice Text To Speech
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Social Sharing Plugin – Social Warfare
Vulnerability: Unauthenticated Arbitrary Settings Update
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: WP Super Cache
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: PDF File Browser
Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Armour – Honeypot Anti Spam
Vulnerability: No subtitle
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: PowerPack Pro for Elementor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.24
Recommended Action: Update to version 2.9.24, or a newer patched version
Plugin: Ricerca – advanced search
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: Zephyr Project Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: copy-me
Vulnerability: Missing Authorization & Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Cross-Site Request Forgery via save_campaign_preview
Patched Version: 3.1.19
Recommended Action: Update to version 3.1.19, or a newer patched version
Plugin: SearchIQ – The Search Solution
Vulnerability: Missing Authorization via getSIQPluginSettings
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Dave's WordPress Live Search
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via Plugin Deactivation and Deletion Errors
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2
Plugin: WordPress Comments Import & Export
Vulnerability: CSV Injection
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 2.11.6
Recommended Action: Update to version 2.11.6, or a newer patched version
Plugin: 1app Business Forms
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Wp-Pro-Quiz
Vulnerability: Arbitrary Quiz Deletion via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EasyRotator for WordPress – Slider Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Verified Reviews (Avis Vérifiés)
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.15
Recommended Action: Update to version 2.3.15, or a newer patched version
Plugin: Login by Auth0
Vulnerability: CSV Injection
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Request Forgery Filesystem Credential Update
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5
Plugin: MainWP Article Uploader Extension
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: QueryWall: Plug'n Play Firewall
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Photo Gallery
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Download Monitor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: Vertical scroll recent post
Vulnerability: Cross-Site Request Forgery via vsrp_admin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Regenerate & Select Crop
Vulnerability: Sensitive Information Exposure
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version
Plugin: Leaflet Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Sp*tify Play Button for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.08
Recommended Action: Update to version 2.08, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Finalist
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version
Plugin: WPC Smart Wishlist for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
Plugin: Jobs for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version
Plugin: Testimonial Slider Shortcode
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Instant CSS
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Plugmatter Optin Feature Box
Vulnerability: SQL Injection
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version
Plugin: WP-ViperGB
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version
Plugin: Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator
Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.0.4
Recommended Action: Update to version 7.0.4, or a newer patched version
Plugin: Gallery from files
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Count per Day
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: Pretty Link Lite
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Bitcoin / Altcoin Faucet
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: TinyMCE Custom Styles
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via option_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: WP Image Zoom
Vulnerability: Cross-Site Request Forgery to Denial of Service
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version
Plugin: Hermit 音乐播放器
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Polls CP
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: WP-CRM – Customer Relations Management for WordPress
Vulnerability: CSV injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version
Plugin: Clone
Vulnerability: Cross-Site Request Forgery via wp_ajax_tifm_save_decision
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Multiple Cross-Site Scripting Issues
Patched Version: 1.5.46
Recommended Action: Update to version 1.5.46, or a newer patched version
Plugin: LWS Tools
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Database Collation Fix
Vulnerability: Cross-Site Request Forgery via admin_page
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: BuddyPress
Vulnerability: Insufficient Privilege De-escalation
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version
Plugin: salient-core
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: eRoom – Zoom Meetings & Webinars
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: SQL Injection
Patched Version: 13.1.0.6
Recommended Action: Update to version 13.1.0.6, or a newer patched version
Plugin: Social Sharing Toolkit
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Art Direction
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mail Bank – #1 Mail SMTP Plugin for WordPress
Vulnerability: #1 Mail SMTP Plugin for WordPress <= 4.0.14
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: JobCareer | Job Board Responsive WordPress Theme
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: Personal Dictionary – Vocabulary Games, Memory Games
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: WPForms Pro
Vulnerability: 1.8.5.3
Patched Version: 1.8.5.4
Recommended Action: Update to version 1.8.5.4, or a newer patched version
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: SQL Injection
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: flowpaper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Mobile App Builder by WapPress
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.64
Recommended Action: Update to version 1.9.64, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version
Plugin: ImageMapper
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Job Board
Vulnerability: Local File Inclusion
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
Plugin: Custom Dashboard Widgets
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via cdw_DashboardWidgets
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kraken.io Image Optimizer
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Migration, Backup, Staging – WPvivid Backup & Migration
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.9.90
Recommended Action: Update to version 0.9.90, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Request Forgery via ‘display_results’
Patched Version: 8.1.16
Recommended Action: Update to version 8.1.16, or a newer patched version
Plugin: ExportFeed: List WooCommerce Products on eBay Store
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ocean Extra
Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Basic Interactive World Map
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Web en Mantenimiento
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Welcart e-Commerce
Vulnerability: Object Injection
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Smart SEO Tool – SEO优化插件
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Yoast Duplicate Post
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: WP DSGVO Tools (GDPR)
Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Cross-Site Scripting
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: PDF24 Article To PDF
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SportsPress – Sports Club & League Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.9
Recommended Action: Update to version 2.7.9, or a newer patched version
Plugin: 微信群发助手-Wechat Broadcast
Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ImageRecycle pdf & image compression
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version
Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps
Vulnerability: Sensitive Information Exposure
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via Caption
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version
Plugin: Auto Excerpt everywhere
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Unyson
Vulnerability: Cross-Site Scripting
Patched Version: 2.7.27
Recommended Action: Update to version 2.7.27, or a newer patched version
Plugin: Multi-column Tag Map
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 17.0.25
Recommended Action: Update to version 17.0.25, or a newer patched version
Plugin: Essential Grid Portfolio – Photo Gallery
Vulnerability: Missing Authorization
Patched Version: 3.0.19
Recommended Action: Update to version 3.0.19, or a newer patched version
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: DW Question Answer Pro
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hide My WP – Amazing Security Plugin for WordPress!
Vulnerability: Authorization Bypass
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version
Plugin: Logo Carousel – Responsive Logo Slider, Logo Showcase, and Clients Logo Gallery
Vulnerability: Unauthorised Private Post Access
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Simple Sticky Footer
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Delete Old Orders
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Modern Events Calendar Lite
Vulnerability: Subscriber+ Category Add Leading to Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version
Plugin: Advanced Ads – Ad Manager & AdSense
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.17.4
Recommended Action: Update to version 1.17.4, or a newer patched version
Plugin: Media File Renamer: Rename for better SEO (AI-Powered)
Vulnerability: Authenticated(Administrator+) Remote Code Execution
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version
Plugin: Multiple Roles
Vulnerability: Privilege Escalation
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: SEO Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: WordPress Live Chat Plugin for Elementor – LiveChat
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version
Plugin: Easy Custom Auto Excerpt
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection
Vulnerability: Insecure Backup/Logfile Generation
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version
Plugin: FourSquare Checkins
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: SiteBuilder Dynamic Components
Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photospace Gallery
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPshop 2 – E-Commerce
Vulnerability: Arbitrary File Upload
Patched Version: 1.3.9.6
Recommended Action: Update to version 1.3.9.6, or a newer patched version
Plugin: Quiz Expert – Easy Quiz Maker, Exam and Test Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Download Monitor
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version
Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version
Plugin: WP CSV Exporter
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: xili-tidy-tags
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.04
Recommended Action: Update to version 1.12.04, or a newer patched version
Plugin: MyCurator Content Curation
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.75
Recommended Action: Update to version 3.75, or a newer patched version
Plugin: Visitor Traffic Real Time Statistics
Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version
Plugin: WordPress WP-Advanced-Search
Vulnerability: SQL Injection
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version
Plugin: Check & Log Email – Easy Email Testing & Mail logging
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.5.2
Recommended Action: Update to version 0.5.2, or a newer patched version
Plugin: YOP Poll
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version
Plugin: Download Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.54
Recommended Action: Update to version 3.2.54, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Insecure Direct Object Reference
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version
Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Limit Login Attempts
Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.86
Recommended Action: Update to version 1.0.86, or a newer patched version
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.25
Recommended Action: Update to version 3.3.25, or a newer patched version
Plugin: WP Job Openings – Job Listing, Career Page and Recruitment Plugin
Vulnerability: Information Exposure
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.354
Recommended Action: Update to version 1.0.354, or a newer patched version
Plugin: Easy Testimonials
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.39
Recommended Action: Update to version 3.39, or a newer patched version
Plugin: Table Rate Shipping Method for WooCommerce by Flexible Shipping
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.9
Recommended Action: Update to version 4.11.9, or a newer patched version
Plugin: Simple Login Log
Vulnerability: SQL Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Acunetix WP Security
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Find and Replace All
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Video Conferencing with Zoom
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: Blog Designer
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version
Plugin: eBecas
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Authenticated (Author+) Cross-Site Scripting via File Uploads
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1
Plugin: Announcement & Notification Banner – Bulletin
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version
Plugin: Ninja Tables – Easy Data Table Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version
Plugin: eShop
Vulnerability: Cross-Site Forgery Request and Reflected Cross-Site Scripting
Patched Version: 6.3.14
Recommended Action: Update to version 6.3.14, or a newer patched version
Plugin: EDD Favorites
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: amerisale-re
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Encrypted Blog
Vulnerability: Open Redirect
Patched Version: 0.0.6.6
Recommended Action: Update to version 0.0.6.6, or a newer patched version
Plugin: Featured Post Creative
Vulnerability: Cross-Site Request Forgery via wpfp_update_featured_post
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: My Tickets – Accessible Event Ticketing
Vulnerability: Authorization Bypass
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version
Plugin: bbPress Voting
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.11.1
Recommended Action: Update to version 2.1.11.1, or a newer patched version
Plugin: Mega Addons For WPBakery Page Builder
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Thumbnail Slider With Lightbox
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version
Plugin: WP Vault
Vulnerability: Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Animated Counters
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Core: WordPress
Vulnerability: Full Path Disclosure
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg
Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: Mark Posts
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Human Presence – Stop Form Spam Without ReCaptcha
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Core: WordPress
Vulnerability: Cryptographic Weakness
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Stout Google Calendar
Vulnerability: Cross-Site Request Forgery via sgc_plugin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Affiliates Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Amazonify
Vulnerability: Cross-Site Request Forgery to Amazon Tracking ID Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YOP Poll
Vulnerability: Reusable Captcha via validateImage
Patched Version: 6.5.29
Recommended Action: Update to version 6.5.29, or a newer patched version
Plugin: WCP Contact Form
Vulnerability: Reflected Cross-Site Scripting via tab parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: API info for Plugins & Themes from WP.ORG
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version
Plugin: Anti-Malware Security and Brute-Force Firewall
Vulnerability: Cross-Site Scripting
Patched Version: 4.15.23
Recommended Action: Update to version 4.15.23, or a newer patched version
Plugin: S3bubble Amazon S3 Media Streaming
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SrbTransLatin – Serbian Latinisation
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version
Plugin: Predictive Search
Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: Hover Image
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Missing Authorization Checks
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Forms
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.12.3
Recommended Action: Update to version 1.12.3, or a newer patched version
Plugin: Relevanssi – A Better Search (Pro)
Vulnerability: SQL Injection
Patched Version: 1.14.6.1
Recommended Action: Update to version 1.14.6.1, or a newer patched version
Plugin: Helpful
Vulnerability: Authorization Bypass to Repeat Voting
Patched Version: 4.5.15
Recommended Action: Update to version 4.5.15, or a newer patched version
Plugin: Clean Login
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Information Disclosure via updraft_ajaxrestore
Patched Version: 1.23.1
Recommended Action: Update to version 1.23.1, or a newer patched version
Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.
Vulnerability: Unauthenticated Arbitrary File Upload via uploadFile
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Custom Field Template
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Font Organizer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Vulnerability: Missing Authorization
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: WordPress Checkout
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Exploit Scanner
Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooSidebars Sidebar Manager Converter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Stetic
Vulnerability: No subtitle
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: WordPress Calls to Action
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: bird-feeder
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)
Vulnerability: Authenticated (Subscriber+) Local File Inclusion via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Community by PeepSo – Download from PeepSo.com
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version
Plugin: YourChannel: Everything you want in a YouTube plugin.
Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Admin Custom Login
Vulnerability: No subtitle
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version
Plugin: Easy Digital Downloads – Recount Earnings
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: GEO Redirector
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smart Forms – when you need more than just a contact form
Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 2.6.71
Recommended Action: Update to version 2.6.71, or a newer patched version
Plugin: Appointment Calendar
Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version
Plugin: Debug Meta Data
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Client Reports
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version
Plugin: URL Shortener by MyThemeShop
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cart66 Lite :: WordPress Ecommerce
Vulnerability: SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Quick Post Duplicator
Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Popup Images
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Customer Reviews for WooCommerce
Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
Plugin: Oxygen
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version
Plugin: Statify – Extended Evaluation
Vulnerability: Authenticated (Admin+) CSV Injection
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: WPlite
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Request a Quote
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version
Plugin: Shortcode for Current Date
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version
Plugin: Rating by BestWebSoft
Vulnerability: Rating Denial of Service
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Smart Marketing SMS and Newsletters Forms
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version
Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8.1
Recommended Action: Update to version 1.4.8.1, or a newer patched version
Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Captcha Bypass
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: Paytm Payment Gateway
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: Albo Pretorio On line
Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Super Cache
Vulnerability: Cross Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Team Member – Multi Language Supported Team Plugin
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Unyson
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: teachPress
Vulnerability: Cross-Site Request Forgery via delete_database()
Patched Version: 9.0.6
Recommended Action: Update to version 9.0.6, or a newer patched version
Plugin: Mesmerize Companion
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.135
Recommended Action: Update to version 1.6.135, or a newer patched version
Core: WordPress
Vulnerability: Arbitrary User Password Reset
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Modula Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: Cooked Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.5.6
Recommended Action: Update to version 1.7.5.6, or a newer patched version
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.19
Recommended Action: Update to version 11.19, or a newer patched version
Plugin: spideranalyse
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Q and A
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: iPanorama 360 – Advanced Virtual Tour Builder
Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Smooth Slider
Vulnerability: Authenticated SQL Injection
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Smooth Slider
Vulnerability: Authenticated SQL Injection
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: MainWP Post Plus Extension
Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: WP Ultimate Email Marketer
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YITH Maintenance Mode
Vulnerability: Multiple Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: EasyRecipe
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Modula Image Gallery
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 2.6.91
Recommended Action: Update to version 2.6.91, or a newer patched version
Plugin: Under Construction / Maintenance Mode from Acurax
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Comments – wpDiscuz
Vulnerability: Authenticated(Author+) Insecure Direct Object Reference
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version
Plugin: WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: Icons for Features
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version
Plugin: H5P CSS Editor
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Avada (Fusion) Builder
Vulnerability: Missing Authorization
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: GTM Server Side
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.0.27
Recommended Action: Update to version 8.0.27, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Reflected Cross-Site Scripting via ‘wpforo_debug’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: wordpress-gallery-transformation
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ivory Search – WordPress Search Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: YARPP – Yet Another Related Posts Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.30.4
Recommended Action: Update to version 5.30.4, or a newer patched version
Plugin: Rename wp-login.php
Vulnerability: Cross-Site Request Forgery & Unauthenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pixabay Images
Vulnerability: Directory Traversal
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: My Agile Privacy – The only GDPR solution for WP that you can truly trust
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Vulnerability: Sensitive Data Exposure
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version
Plugin: CP Blocks
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version
Plugin: Social Count Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Easy Media Gallery Pro
Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Authenticated(level_5+) SQL Injection via get_logs
Patched Version: 2.8.22
Recommended Action: Update to version 2.8.22, or a newer patched version
Plugin: CallRail Phone Call Tracking
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.5.3
Recommended Action: Update to version 0.5.3, or a newer patched version
Plugin: reCaptcha by BestWebSoft
Vulnerability: CAPTCHA Bypass
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: Optin Forms – Simple List Building Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Author Bio Box
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: SupportCandy – Helpdesk & Customer Support Ticket System
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization via ajax_delete_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: All In One Redirection
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: YOP Poll
Vulnerability: Race Condition to Vote Manipulation
Patched Version: 6.5.27
Recommended Action: Update to version 6.5.27, or a newer patched version
Plugin: WP Attachments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: Traffic Manager
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Leadster
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Insert Special Characters
Vulnerability: Prototype Pollution
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Cross-Site Request Forgery to File Upload
Patched Version: 21.3
Recommended Action: Update to version 21.3, or a newer patched version
Plugin: cformsII
Vulnerability: SQL Injection
Patched Version: 14.6.10
Recommended Action: Update to version 14.6.10, or a newer patched version
Plugin: External Links – nofollow, noopener & new window
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.81
Recommended Action: Update to version 1.81, or a newer patched version
Plugin: WP Debugging
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.8
Recommended Action: Update to version 2.11.8, or a newer patched version
Plugin: Age Gate
Vulnerability: Cross-Site Scripting via Data Import
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version
Plugin: WP Inventory Manager
Vulnerability: Reflected Cross-Site Scripting via ‘message’
Patched Version: 2.1.0.12
Recommended Action: Update to version 2.1.0.12, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Authenticated Blind SQL Injection
Patched Version: 9.4.1
Recommended Action: Update to version 9.4.1, or a newer patched version
Plugin: Ultimate Addons for Contact Form 7
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Unauthenticated PHP Object Injection via Cookies
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: Contact Form Manager
Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Product page shipping calculator for WooCommerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.3.26
Recommended Action: Update to version 1.3.26, or a newer patched version
Plugin: ActivityPub
Vulnerability: Missing Authorization
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: WordPress RokBox
Vulnerability: Content Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: My YouTube Channel
Vulnerability: Cross-Site Request Forgery to Cache Deletion
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version
Plugin: IdeaPush
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.53
Recommended Action: Update to version 8.53, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Font Awesome
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: Lana Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification
Vulnerability: Cross-Site Request Forgery to Settings Change
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Master Elements
Vulnerability: Unauthenticated SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: WooCommerce Product Table Lite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP
Vulnerability: Cross-Site Scripting
Patched Version: 4.29.5
Recommended Action: Update to version 4.29.5, or a newer patched version
Plugin: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version
Plugin: ShiftNav – Responsive Mobile Menu
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: Post Views Count (Support caching plugins!)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Responsive Image Gallery <= 4.4.3
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: MainWP Code Snippets Extension
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: Simple Blog Card
Vulnerability: Sensitive Information Exposure
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version
Plugin: ANAC XML Bandi di Gara
Vulnerability: Cross-Site Request Forgery via settings.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DVS Custom Notification
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version
Plugin: WSM Downloader
Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Solidres – Hotel booking plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar
Vulnerability: SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version
Plugin: Product Catalog Simple
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version
Core: WordPress
Vulnerability: Privilege Escalation via XML-RPC
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2
Plugin: Watu Quiz
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.8.2
Recommended Action: Update to version 3.3.8.2, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: Securimage-WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tidio Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WHA Puzzle
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP htpasswd
Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Share Buttons by Supsystic
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version
Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Email Newsletter
Vulnerability: Sensitive Information Disclosure
Patched Version: 9.0
Recommended Action: Update to version 9.0, or a newer patched version
Plugin: iframe
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘iframe’ Shortcode
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version
Plugin: WP Hotel Booking
Vulnerability: Insufficient Authorization to Unauthorized Post Deletion
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Fast Flow
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2
Plugin: Appointment Hour Booking – WordPress Booking Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: WP Insurance – WordPress Insurance Service Plugin
Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: Reflected Cross-Site Scripting via ‘td_video_url’
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: WP Total Hacks
Vulnerability: Authenticated (Subscriber+) Plugin Options Update to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YITH WooCommerce Wishlist
Vulnerability: SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: WP Content Pilot – Autoblogging & Affiliate Marketing Plugin
Vulnerability: Authenticated (Contributor+) Content Injection
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Visual Form Builder
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version
Plugin: WP RSS By Publishers
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: SQL Injection
Patched Version: 0.5.16
Recommended Action: Update to version 0.5.16, or a newer patched version
Plugin: WP Flipclock
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Rate My Post – Star Rating Plugin by FeedbackWP
Vulnerability: Race Condition
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: Stock Manager for WooCommerce
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Ninja Job Board – Ultimate WordPress Job Board Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Caldera Forms – More Than Contact Forms
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Workscout Core
Vulnerability: Job Board WordPress Theme <= 2.0.31
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: WP-Members Membership Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Rearrange Woocommerce Products
Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: WP Maintenance Mode & Site Under Construction
Vulnerability: Improper Authorization
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: GigPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.28
Recommended Action: Update to version 2.3.28, or a newer patched version
Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
Vulnerability: Missing Authorization
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version
Plugin: Admin Bar & Dashboard Access Control
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Owl Carousel
Vulnerability: Missing Authorization via save_paramter.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Media File Manager
Vulnerability: Directory Traversal to Arbitrary File Read
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Contextual Related Posts
Vulnerability: Missing Authorization in crp_ajax_clearcache
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: OpenHook
Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: Error Log Viewer by BestWebSoft
Vulnerability: Arbitrary File Deletion
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: IP Blacklist Cloud
Vulnerability: SQL Injections
Patched Version: 3.41
Recommended Action: Update to version 3.41, or a newer patched version
Plugin: Product Stock Manager
Vulnerability: Missing Authorization and Cross-Site Request Forgery
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce
Vulnerability: Unauthenticated Arbitrary Media Deletion
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Easy Google Analytics for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Official Integration for Billingo
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version
Plugin: Simple Job Board
Vulnerability: No subtitle
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: BA Book Everything
Vulnerability: Cross-Site Scripting and Cross-Frame Scripting
Patched Version: 1.3.25
Recommended Action: Update to version 1.3.25, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_size
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: WP Live.php
Vulnerability: Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: WP Default Feature Image
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3
Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin
Vulnerability: Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: mb.miniAudioPlayer – an HTML5 audio player for your mp3 files
Vulnerability: Multiple Vulnerabilities
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version
Plugin: Login with phone number
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Plausible Analytics
Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Blog Manager Light
Vulnerability: Cross-Site Request Forgery via bml_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Automatic Domain Changer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard
Vulnerability: Cross-Site Request Forgery via white_label_reset_wl_admins
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: WatchTowerHQ
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 3.6.16
Recommended Action: Update to version 3.6.16, or a newer patched version
Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store
Vulnerability: Missing Authorization via ‘send_resync_request’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Authenticated (Seo Manager+) Stored Cross-Site Scripting
Patched Version: 21.1
Recommended Action: Update to version 21.1, or a newer patched version
Plugin: surveys
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in saveconfig function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: RokNewsPager
Vulnerability: Denial of Service
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version
Plugin: SS Downloads
Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features
Vulnerability: Arbitrary File Upload
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: Easy PayPal Events
Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Booking Package
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version
Plugin: OTP Login Woocommerce (Login with OTP)
Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Missing Authorization
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Customizer
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Leaflet Maps Marker Pro
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Enable Media Replace
Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version
Plugin: Visual Slide Box Builder
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Addons for Beaver Builder
Vulnerability: Authenticated(Contributor+) Directory Traversal to Arbitrary File Download
Patched Version: 1.35.14
Recommended Action: Update to version 1.35.14, or a newer patched version
Plugin: Booster Plus for WooCommerce
Vulnerability: Missing Authorization to Order Information Disclosure
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version
Plugin: Simple Calendar – Google Calendar Plugin
Vulnerability: Cross-Site Request Forgery via duplicate_feed
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Core: WordPress
Vulnerability: Directory Traversal
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Core: WordPress
Vulnerability: 6.3.1
Patched Version: 4.7.27
Recommended Action: Update to one of the following versions, or a newer patched version: 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2
Plugin: gravity-file-ajax-upload-free
Vulnerability: Unrestricted File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Companion Auto Update
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Waiting: One-click countdowns
Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 10Web Social Post Feed
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.1.27
Recommended Action: Update to version 1.1.27, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Authenticated (Admin+) Cross-Site Scripting via label
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version
Plugin: Visual Composer Website Builder
Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Text Block’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version
Plugin: Multi Step Form
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.32
Recommended Action: Update to version 7.32, or a newer patched version
Plugin: Simple Basic Contact Form
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 20221201
Recommended Action: Update to version 20221201, or a newer patched version
Plugin: TemplatesNext ToolKit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version
Plugin: WPGraphQL
Vulnerability: Authenticated (Editor+) Server-Side Request Forgery
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version
Plugin: Accept Donations with PayPal & Stripe
Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Job Board by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: WPGet API – Connect to any external REST API
Vulnerability: 2.2.1
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: Booking for Appointments and Events Calendar – Amelia
Vulnerability: Missing Authorization
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.9.8.4
Recommended Action: Update to version 1.9.8.4, or a newer patched version
Plugin: Easy Appointments
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: Foliopress WYSIWYG
Vulnerability: Cross-Site Scripting
Patched Version: 2.6.8.5
Recommended Action: Update to version 2.6.8.5, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 9.87.1.0
Recommended Action: Update to version 9.87.1.0, or a newer patched version
Plugin: WP Email Users
Vulnerability: SQL Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Social Slider Feed
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: BNG Gateway For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YouTube Video Inserter
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Online Lesson Booking
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.8.7
Recommended Action: Update to version 0.8.7, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Missing Authorization Checks
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version
Plugin: WordPress Email Marketing Plugin – WP Email Capture
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version
Plugin: Simple Page Transition
Vulnerability: Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP RSS By Publishers
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KiviCare – Clinic & Patient Management System (EHR)
Vulnerability: Sensitive Information Exposure
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: WP Reroute Email
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: YASR – Yet Another Star Rating Plugin for WordPress
Vulnerability: Missing Authorization via init
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.27
Recommended Action: Update to version 3.3.27, or a newer patched version
Plugin: Localize My Post
Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hide My WP – Amazing Security Plugin for WordPress!
Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version
Plugin: Slideshow Gallery
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: TweetScribe
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce Payment Gateway per Category
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Optin Forms – Simple List Building Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Wbcom Designs – BuddyPress Group Reviews
Vulnerability: Unauthorized AJAX Actions due to Nonce Bypass
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.3.10
Recommended Action: Update to version 7.3.10, or a newer patched version
Plugin: WP-ViperGB
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version
Plugin: FoxyPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CT Commerce
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Instagram for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Reflected Cross-Site Scripting via ‘event_id’
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Unrestricted SVG Uploads
Patched Version: 3.0.14
Recommended Action: Update to version 3.0.14, or a newer patched version
Plugin: External Media
Vulnerability: Authenticated(Author+) File Upload to Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YouTube Playlist Player
Vulnerability: Cross-Site Request Forgery in ytpp_settings
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: CSV Injection
Patched Version: 2.9.28
Recommended Action: Update to version 2.9.28, or a newer patched version
Plugin: Fast Flow
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: Integrate Google Drive
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Products Quick View for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Creative Contact Form
Vulnerability: Arbitrary File Upload
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version
Plugin: Very Simple Quiz
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Event Expresso Free
Vulnerability: Authenticated SQL Injection
Patched Version: 3.1.37.12.L
Recommended Action: Update to version 3.1.37.12.L, or a newer patched version
Plugin: Generate PDF using Contact Form 7
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Information Disclosure
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
Vulnerability: Subscriber+ Arbitrary File/Folder Deletion
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: WPtouch – Make your WordPress Website Mobile-Friendly
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.44
Recommended Action: Update to version 4.3.44, or a newer patched version
Plugin: MainWP File Uploader Extension
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Superb slideshow gallery
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.2
Recommended Action: Update to version 13.2, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated Blind SQL Injection
Patched Version: 3.3.6
Recommended Action: Update to one of the following versions, or a newer patched version: 3.3.6, 3.4.8, 3.5.9, 3.6.6, 3.7.2, 3.8.2, 3.9.4, 4.0.2, 4.1.2, 4.2.3, 4.3.4, 4.4.2, 4.5.3, 4.6.3, 4.7.2, 4.8.1, 4.9.3, 5.0.1, 5.1.1, 5.2.3, 5.3.1, 5.4.2, 5.5.1, 5.5.2
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Multiple SQL Injections
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: Continuous Image Carousel With Lightbox
Vulnerability: Reflected Cross-Site Scripting via search_term, order_by and order_pos
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version
Plugin: PDF Block
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Multicons [ Multiple Favicons ]
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: WP CleanFix
Vulnerability: Remote Code Execution
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version
Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.19.2
Recommended Action: Update to version 2.19.2, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Sensitive Information Exposure
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Mobile-Friendly Image Gallery <= 1.8.19
Patched Version: 1.8.20
Recommended Action: Update to version 1.8.20, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Unauthenticated Stored Cross-Site Scripting via REST API
Patched Version: 9.0.28
Recommended Action: Update to version 9.0.28, or a newer patched version
Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN
Vulnerability: Directory Traversal
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version
Plugin: WP-Business Directory
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JetBackup – WP Backup, Migrate & Restore
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.9.1
Recommended Action: Update to version 1.6.9.1, or a newer patched version
Plugin: G-Lock Double Opt-in Manager
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Read more By Adam
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Flipbox – Awesomes Flip Boxes Image Overlay
Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Magee Shortcodes
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Core: WordPress
Vulnerability: Authorization Bypass to Information Disclosure
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1
Plugin: Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more!
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9.4
Recommended Action: Update to version 1.4.9.4, or a newer patched version
Plugin: Export All URLs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: Site Reviews
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.13.1
Recommended Action: Update to version 5.13.1, or a newer patched version
Plugin: Social Media Share Buttons & Social Sharing Icons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Mediabay – Media Library Folders
Vulnerability: Missing Authorization via AJAC actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Amazon Affiliate Link Localizer
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Block Plugin Update
Vulnerability: Cross-Site Request Forgery via bspu_plugin_select.php
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.63
Recommended Action: Update to version 1.5.63, or a newer patched version
Plugin: Easy Updates Manager
Vulnerability: Insufficient Restrictions on Option Changes
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version
Plugin: Cookies by JM
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Custom Cart Link for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: WHIZZ
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Members Import
Vulnerability: Self Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: New User Approve
Vulnerability: Cross-Site Request Forgery via admin_notices
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Smart Forms – when you need more than just a contact form
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 2.6.85
Recommended Action: Update to version 2.6.85, or a newer patched version
Plugin: Elementor Forms Google Sheet Connector Pro
Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Smoothscroller
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Booster Plus for WooCommerce
Vulnerability: Cross-Site Request Forgery to File Deletion
Patched Version: 5.6.5
Recommended Action: Update to version 5.6.5, or a newer patched version
Plugin: WP Page Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Missing Authorization on ajax_edit_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Kanban Boards for WordPress
Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version
Plugin: Shortcode IMDB
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery Plugin for WordPress – Envira Photo Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.4.7
Recommended Action: Update to version 1.8.4.7, or a newer patched version
Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
Vulnerability: Multiple Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Asgaros Forum
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Leyka
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.30
Recommended Action: Update to version 3.30, or a newer patched version
Plugin: Nextend Twitter Connect
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Connections Business Directory
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 10.4.3
Recommended Action: Update to version 10.4.3, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_multiple_files_for_post
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Subscriber+ Arbitrary File Upload
Patched Version: 4.24
Recommended Action: Update to version 4.24, or a newer patched version
Plugin: Testimonial Slider – Free Testimonials Slider Plugin
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.8.4
Recommended Action: Update to version 3.5.8.4, or a newer patched version
Plugin: WP-Table
Vulnerability: Remote File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version
Plugin: YITH WooCommerce Bulk Product Editing
Vulnerability: Authenticated Settings Change
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version
Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP
Vulnerability: Cross-Site Scripting
Patched Version: 4.29.9
Recommended Action: Update to version 4.29.9, or a newer patched version
Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress RokBox
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Monitor
Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version
Plugin: Speed Booster Pack ⚡ PageSpeed Optimization Suite
Vulnerability: Admin+ SQL Injection
Patched Version: 4.3.3.1
Recommended Action: Update to version 4.3.3.1, or a newer patched version
Plugin: User Login History
Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Post List Designer by Category – List Category Post Or Recent Post
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: If Menu – Visibility control for Menus
Vulnerability: Missing Authorization to Admin Settings Modification
Patched Version: 0.17
Recommended Action: Update to version 0.17, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Missing Authorization via handleBeforeGateway
Patched Version: 2.33.2
Recommended Action: Update to version 2.33.2, or a newer patched version
Plugin: Kama Click Counter
Vulnerability: Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version
Plugin: WebP Express
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.14.11
Recommended Action: Update to version 0.14.11, or a newer patched version
Plugin: Welcart e-Commerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: 0mk Shortener
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more
Vulnerability: Cross-Site Request Forgery to Custom Field Creation
Patched Version: 1.2.91
Recommended Action: Update to version 1.2.91, or a newer patched version
Plugin: Jquery news ticker
Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Nelio AB Testing
Vulnerability: Server Side Request Forgery
Patched Version: 4.5.9
Recommended Action: Update to version 4.5.9, or a newer patched version
Plugin: WP Plugin Lister
Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: W3 Total Cache
Vulnerability: Cross-Site Scripting via request_id
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version
Plugin: Share and Follow
Vulnerability: Cross-Site Scripting
Patched Version: 1.80.4
Recommended Action: Update to version 1.80.4, or a newer patched version
Plugin: screets-lcx
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: Login/Signup Popup ( Inline Form + Woocommerce )
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: IMPress Listings
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: WP REST API (WP API)
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Google SEO Pressor for Rich snippets
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: PubyDoc – Data Tables and Charts
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Vospari Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End
Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’
Patched Version: 20230811
Recommended Action: Update to version 20230811, or a newer patched version
Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode
Vulnerability: Cross-Site Scripting via social_icon_1 parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version
Plugin: Simple Page Ordering
Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version
Plugin: ARI Fancy Lightbox – Popup for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Photospace Responsive Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version
Plugin: FontMeister – The Font Management Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Cross-Site Request Forgery Protection Bypass
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2
Plugin: Greeklish-permalink
Vulnerability: Missing Authorization via cyrtrans_ajax_old AJAX action
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: Post to CSV by BestWebSoft
Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Authenticated SQL Injection
Patched Version: 12.0.8
Recommended Action: Update to version 12.0.8, or a newer patched version
Plugin: CM WordPress Search And Replace Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: WP-RecentComments
Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Erident Custom Login and Dashboard
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: wpForo Forum
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Zoho SalesIQ – Live chat, chatbots, and visitor tracking
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Lava Directory Manager
Vulnerability: Unauthenticated Stored Cross-Site Scripting via New Listing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP OAuth Server (OAuth Authentication)
Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion (wo_ajax_remove_client)
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Unauthenticated Blind SQL Injection via time Parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: Advanced Forms for ACF
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: iFeature Slider
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mailrelay
Vulnerability: Cross-Site Request Forgery via render_admin_page
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Cookie Information | Free GDPR Consent Solution
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: WPS Child Theme Generator
Vulnerability: Directory Traversal
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: My Tickets – Accessible Event Ticketing
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version
Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件
Vulnerability: Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: SlimStat Analytics
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version
Plugin: Mingle Forum
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.33.2
Recommended Action: Update to version 1.0.33.2, or a newer patched version
Plugin: WordPress Users
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.13.60
Recommended Action: Update to version 1.13.60, or a newer patched version
Plugin: WP-DBManager
Vulnerability: Arbitrary File Read
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Vulnerability: Authenticated (Contributor+) Stored Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: WP eCommerce
Vulnerability: SQL Injection
Patched Version: 3.11.4
Recommended Action: Update to version 3.11.4, or a newer patched version
Plugin: Registrations for the Events Calendar – Event Registration Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.5.25
Recommended Action: Update to version 3.5.25, or a newer patched version
Plugin: Post Connector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: RSS Feed Reader
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.14.12
Recommended Action: Update to version 1.14.12, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Missing Authorization to Non-Arbitrary File Upload
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: 1g-music-share
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Stock in & out
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.67
Recommended Action: Update to version 1.3.67, or a newer patched version
Plugin: Shop as a Customer for WooCommerce
Vulnerability: Authenticated (Shop Manager+) Privilege Escalation
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Analyticator
Vulnerability: Cross-Site Scripting
Patched Version: 6.4.9.6
Recommended Action: Update to version 6.4.9.6, or a newer patched version
Plugin: Urvanov Syntax Highlighter
Vulnerability: Cross-Site Request Forgery via init_ajax
Patched Version: 2.8.34
Recommended Action: Update to version 2.8.34, or a newer patched version
Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management
Vulnerability: Cross-Site Request Forgery to Survey Submission
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version
Plugin: WPGraphQL WooCommerce
Vulnerability: Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Hide Post
Vulnerability: Cross-Site Request Forgery via save_bulk_edit_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Database Reset
Vulnerability: Privilege Escalation
Patched Version: 3.15
Recommended Action: Update to version 3.15, or a newer patched version
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.8.5
Recommended Action: Update to version 1.9.8.5, or a newer patched version
Plugin: Role Scoper (Obsolete – Please install PublishPress Permissions)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.67
Recommended Action: Update to version 1.3.67, or a newer patched version
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: Cross-Site Scripting
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version
Plugin: WordPress Processing Embed
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Notices
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: InBoundio Marketing
Vulnerability: Arbitrary File Upload
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Relevanssi – A Better Search (Pro)
Vulnerability: Missing Authorization
Patched Version: 2.16.5
Recommended Action: Update to version 2.16.5, or a newer patched version
Plugin: Participants Database
Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: Throws SPAM Away
Vulnerability: Cross-Site Request Forgery to Comment Modification
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: WordPress Filter Gallery Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.1.6
Recommended Action: Update to version 0.1.6, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Directory Traversal
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version
Core: WordPress
Vulnerability: Missing Session Cookie Expiration
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Social Media Share Buttons & Social Sharing Icons
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Email Log
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: Conditional Fields for Contact Form 7
Vulnerability: Missing Authorization
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Cimy Header Image Rotator
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Bloom Email Opt-In
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: NMI Gateway For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Download Monitor
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version
Plugin: Meks Audio Player
Vulnerability: Cross-Site Request Forgery via meks_remove_notification
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: efence
Vulnerability: Multiple Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Webmention
Vulnerability: Reflected Cross-Site Scripting via ‘replytocom’
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: WP Downgrade | Specific Core Version
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Contact Form 7 Captcha
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.0.9
Recommended Action: Update to version 0.0.9, or a newer patched version
Plugin: Bradesco Gateway
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: IP Blacklist Cloud
Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version
Plugin: Easy Google Adsense and Banner Ads Manager – AdsforWP
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Asgaros Forum
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.15.14
Recommended Action: Update to version 1.15.14, or a newer patched version
Core: WordPress
Vulnerability: Full Path Disclosure
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.9.3
Recommended Action: Update to version 1.3.9.3, or a newer patched version
Plugin: sintic_gallery
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Publish for Google My Business
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version
Plugin: WordPress + Microsoft Office 365 / Azure AD | LOGIN
Vulnerability: Authentication Bypass
Patched Version: 11.7
Recommended Action: Update to version 11.7, or a newer patched version
Plugin: Email Subscriber
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!
Vulnerability: SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version
Plugin: OWM Weather
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version
Plugin: Advance Menu Manager
Vulnerability: Cross-Site Request Forgery to Menu Edition
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Revamp CRM for WooCommerce
Vulnerability: Local File Inclusion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: Race Condition
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version
Plugin: Advanced Order Export For WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: Contact Form by Supsystic
Vulnerability: SQL Injections
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version
Plugin: illi Link Party!
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Link Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Navis DocumentCloud
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.1
Recommended Action: Update to version 0.1.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version
Plugin: wp-forum
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Noindex Nofollow Tool
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cart66 Lite :: WordPress Ecommerce
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1.15
Recommended Action: Update to version 1.5.1.15, or a newer patched version
Plugin: Allow PHP in Posts and Pages
Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Text Hover
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4.4
Recommended Action: Update to version 1.3.4.4, or a newer patched version
Plugin: School Management System for WordPress
Vulnerability: Authenticated (Student+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MySliderGallery
Vulnerability: Remote File Inclusion
Patched Version: 1.4b5
Recommended Action: Update to version 1.4b5, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.6, 3.8.6, 3.9.4, 4.0.2, 4.1.2
Plugin: WP Meta and Date Remover
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via settings
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Game Server Status
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ClickFunnels
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tiempo.com
Vulnerability: Cross-Site Request Forgery to Shortcode Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Cross-Site Scripting
Patched Version: 3.2.14
Recommended Action: Update to version 3.2.14, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.21.3
Recommended Action: Update to version 2.21.3, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version
Plugin: Accordion Slider
Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version
Plugin: Mobile Assistant Connector
Vulnerability: SQL Injection
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: Embedded Video
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds
Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version
Plugin: Schema App Structured Data
Vulnerability: Missing Authorization via page_init
Patched Version: 1.22.4
Recommended Action: Update to version 1.22.4, or a newer patched version
Plugin: WP-Stats
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Sensitive Information Exposure
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: Locations
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Advanced Custom Fields (ACF)
Vulnerability: Remote Code Execution via Remote File Inclusion
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version
Plugin: Recall Products
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Divi Builder
Vulnerability: Arbitrary File Upload
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version
Plugin: Product Category Tree
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Webcam Microphone Screen Recorder HTML5
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.55.5
Recommended Action: Update to version 1.55.5, or a newer patched version
Plugin: Images Asynchronous Load
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.06
Recommended Action: Update to version 1.06, or a newer patched version
Plugin: WordPress Multisite Content Copier/Updater Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: enigma-chartjs
Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.73
Recommended Action: Update to version 1.73, or a newer patched version
Plugin: JS Job Manager
Vulnerability: Arbitrary Plugin Installation/Activation
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Advanced AJAX Product Filters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4.7
Recommended Action: Update to version 1.5.4.7, or a newer patched version
Plugin: JetBackup – WP Backup, Migrate & Restore
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: YOP Poll
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: YouTube Embed, Playlist and Popup by WpDevArt
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated Stored Cross-Site Scripting via headers
Patched Version: 21.2.8.1
Recommended Action: Update to version 21.2.8.1, or a newer patched version
Plugin: Simple Wp Sitemap
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Open Close WooCommerce Store – Best Business Schedules Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: OneClick Chat to Order
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Authenticated Path Traversal
Patched Version: 2.4.20
Recommended Action: Update to version 2.4.20, or a newer patched version
Plugin: Easy Redirect Manager
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Vulnerability: Missing Authorization
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: WP Comment Remix
Vulnerability: SQL Injection
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: JetBackup – WP Backup, Migrate & Restore
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.47
Recommended Action: Update to version 1.1.47, or a newer patched version
Plugin: SupportFlow
Vulnerability: Stored Cross-Site Scripting via discussion ticket title
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version
Plugin: HUSKY – Products Filter Professional for WooCommerce
Vulnerability: Products Filter for WooCommerce <= 1.1.9
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Keyword Meta
Vulnerability: Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: WP Support Plus Responsive Ticket System
Vulnerability: Improper Authentication
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version
Plugin: Post Views Counter
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Login Block IPs
Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Vulnerability: WPLegalPages <= 2.7.0
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Image Intense
Vulnerability: SQL Injection
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: SQL Injection
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: Gift Up Gift Cards for WordPress and WooCommerce
Vulnerability: Cross-Site Request Forgery via consume_post
Patched Version: 2.22
Recommended Action: Update to version 2.22, or a newer patched version
Plugin: Qiniu Uploader
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy PayPal & Stripe Buy Now Button
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version
Plugin: FavIcon Switcher
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Reset Pro – Most Advanced WordPress Reset Tool
Vulnerability: Missing Authorization to Database Reset
Patched Version: 5.99
Recommended Action: Update to version 5.99, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Ads Box
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cooked – Recipe Management
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.9.1
Recommended Action: Update to version 1.7.9.1, or a newer patched version
Plugin: Simple Tooltips
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: WooCommerce Box Office
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.51
Recommended Action: Update to version 1.1.51, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Local File Inclusion
Patched Version: 0.8.5.8
Recommended Action: Update to version 0.8.5.8, or a newer patched version
Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Disqus Comment System
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.76
Recommended Action: Update to version 2.76, or a newer patched version
Plugin: bbPress Login Register Links On Forum Topic Pages
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version
Plugin: Plotly
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: Elementor Website Builder Pro
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version
Plugin: Admin Word Count Column
Vulnerability: Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce Tranzila Payment Gateway
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Platinum SEO
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Plausible Analytics
Vulnerability: Reflected Cross-Site Scripting via page-url
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Titan Anti-spam & Security
Vulnerability: IP Spoofing to Protection Bypass
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version
Plugin: GNU-Mailman Integration
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Reflected Cross-Site Scripting via ‘page’ and ‘tab’
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version
Plugin: Turn off all comments
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: stats
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Fast Custom Social Share by CodeBard
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Simple Staff List
Vulnerability: Missing Authorization via ajax_flush_rewrite_rules and staff_member_export
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Affiliate Ads for cbAds.com
Vulnerability: Cross-Site Scripting
Patched Version: 1.35
Recommended Action: Update to version 1.35, or a newer patched version
Plugin: Travel Map
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Simple Fields
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WHMCS Bridge
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4b
Recommended Action: Update to version 6.4b, or a newer patched version
Plugin: Image Gallery – Responsive Photo Gallery
Vulnerability: Reflected Cross-Site Scripting via linkbutton
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: E2Pdf – Export Pdf Tool for WordPress
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.20.24
Recommended Action: Update to version 1.20.24, or a newer patched version
Plugin: Campaign Monitor Forms by Optin Cat
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Options Update via ajax_dismiss_notice
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version
Plugin: Dropdown Menu Widget
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DJ EmailPublish
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more
Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version
Plugin: WP Stripe Checkout
Vulnerability: Sensitive Information Exposure via Debug Log
Patched Version: 1.2.2.38
Recommended Action: Update to version 1.2.2.38, or a newer patched version
Plugin: IFrame Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: JetEngine
Vulnerability: Missing Authorization
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More
Vulnerability: Missing Capabilities Check
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version
Plugin: Glass
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version
Core: WordPress
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.0
Recommended Action: Update to one of the following versions, or a newer patched version: 3.0, 3.0.5
Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Slider by 10Web – Responsive Image Slider
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.2.53
Recommended Action: Update to version 1.2.53, or a newer patched version
Plugin: Breadcrumb NavXT
Vulnerability: Sensitive Data Exposure
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version
Plugin: WP Shop
Vulnerability: SQL Injection
Patched Version: 3.4.3.16
Recommended Action: Update to version 3.4.3.16, or a newer patched version
Plugin: WebP Express
Vulnerability: Arbitrary File Read
Patched Version: 0.14.11
Recommended Action: Update to version 0.14.11, or a newer patched version
Plugin: CM Tooltip Glossary
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.9.21
Recommended Action: Update to version 3.9.21, or a newer patched version
Plugin: custom-metas
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order XML File Export Import for WooCommerce
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Add Social Share Buttons for Whatsapp and Viber
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: Salat Times
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version
Plugin: yahoo-updates-for-wordpress
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clean Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.4
Recommended Action: Update to version 1.10.4, or a newer patched version
Plugin: GoCodes
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Community Events
Vulnerability: SQL Injection
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Vulnerability: Missing Authorization via _update_shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Stock Ticker
Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_symbol_search_test
Patched Version: 3.23.3
Recommended Action: Update to version 3.23.3, or a newer patched version
Plugin: Pixel Cat – Conversion Pixel Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: AI Power: Complete AI Pack
Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Multiple SQL Injection
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version
Plugin: FunCaptcha – Anti-Spam CAPTCHA
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.3
Recommended Action: Update to version 0.3.3, or a newer patched version
Plugin: Login/Signup Popup ( Inline Form + Woocommerce )
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: We’re Open!
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.42
Recommended Action: Update to version 1.42, or a newer patched version
Plugin: WPPerformanceTester
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Register Plus Redux
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimeter
Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Advanced Text Widget
Vulnerability: Missing Authorization via atw_dismiss_admin_notice
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sidebar Widgets by CodeLights
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Loan Comparison
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: WP Testimonials
Vulnerability: Cross-Site Request Forgery to Widget Deletion
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Sitemap Index
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Digital Downloads (EDD) Stripe
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version
Plugin: WC Captcha
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EELV Newsletter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: MainWP Wordfence Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: Accordion – Multiple Accordion or FAQs Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Several Parameters
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: MailPoet Newsletters (Previous)
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version
Plugin: BuddyPress
Vulnerability: Missing Authorization to Private Post Activity
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version
Plugin: Database Cleaner
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version
Plugin: Easy Cookie Law
Vulnerability: Cross-Site Request Forgery via ‘ecl_options’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Hotel Listings
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Post Hit Counter
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP All Import Pro
Vulnerability: Reflected Cross Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting via Media Metadata
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3
Plugin: Intelligent WordPress Live Chat Support Plugin | Utilities
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Database Backup for WordPress
Vulnerability: Admin+ SQL Injection
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Data Tables Generator by Supsystic
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.92
Recommended Action: Update to version 1.9.92, or a newer patched version
Plugin: ActivityPub
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Content
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version
Plugin: WordPress Simple Shopping Cart
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version
Plugin: UserPro – Community and User Profile WordPress Plugin
Vulnerability: Sensitive Information Disclosure via Shortcode
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: WP Show Posts
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: BuddyPress
Vulnerability: SQL Injection
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_start
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Menu Image, Icons made easy
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version
Plugin: Gmedia Photo Gallery
Vulnerability: Open Proxy
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: Gallery – Image and Video Gallery with Thumbnails
Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version
Plugin: Nested Pages
Vulnerability: Open Redirect
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version
Plugin: LearnDash LMS
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.5.3.1
Recommended Action: Update to version 4.5.3.1, or a newer patched version
Plugin: Pixabay Images
Vulnerability: Authentication Bypass to Arbitrary File Upload
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: CC Child Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version
Plugin: 2 Click Social Media Buttons
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.34
Recommended Action: Update to version 0.34, or a newer patched version
Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: VK All in One Expansion Unit
Vulnerability: Stored (Contributor+) Cross-Site Scripting in Profile Setting
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version
Plugin: UpdraftPlus: WP Backup & Migration Plugin
Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.16.59
Recommended Action: Update to version 1.16.59, or a newer patched version
Plugin: Easy Photo Album
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Ultimate GDPR & CCPA Compliance Toolkit for WordPress
Vulnerability: Unauthenticated Settings Import & Export
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version
Plugin: Limit Login Attempts
Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 4.0.72
Recommended Action: Update to version 4.0.72, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.5
Recommended Action: Update to version 0.8.5, or a newer patched version
Plugin: Add Comments
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: KiviCare – Clinic & Patient Management System (EHR)
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery via ajax_save_folder_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Loginizer
Vulnerability: Reflected Cross-Site Scripting via ‘name’
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version
Plugin: Hot Linked Image Cacher
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version
Plugin: Webmaster Tools
Vulnerability: Cross-Site Request Forgery vin lionscripts_plg_f
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: yolink Search for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated SQL Injection
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version
Plugin: Sell Media
Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: Advanced uploader
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP ULike – All-in-One Engagement Toolkit
Vulnerability: Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: Shoppable Images
Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3.23
Recommended Action: Update to version 1.2.3.23, or a newer patched version
Plugin: Fudousan Plugin
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Job Board
Vulnerability: Reflected Cross-Site Scripting & Cross-Frame Scripting
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version
Plugin: CLUEVO LMS, E-Learning Platform
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.0
Recommended Action: Update to version 1.11.0, or a newer patched version
Plugin: Sort SearchResult By Title
Vulnerability: Cross-Site Request Forgery via settings_page
Patched Version: 11.0
Recommended Action: Update to version 11.0, or a newer patched version
Plugin: Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: Social Media Feather | social media sharing
Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Frontend Post WordPress Plugin – AccessPress Anonymous Post
Vulnerability: Backdoored
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version
Plugin: Random Banner
Vulnerability: Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: kbslider
Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Cross-Site Request Forgery via views/tools/diagnostics/information.php
Patched Version: 1.5.7.1
Recommended Action: Update to version 1.5.7.1, or a newer patched version
Plugin: Login With Ajax – Fast Logins, 2FA, Redirects
Vulnerability: Cross-Site Scripting
Patched Version: 3.0.4.1
Recommended Action: Update to version 3.0.4.1, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Authenticated (Administrator+) Directory Traversal to Arbitrary File Read
Patched Version: 5.6.24
Recommended Action: Update to version 5.6.24, or a newer patched version
Plugin: Advanced Shipment Tracking for WooCommerce
Vulnerability: Authenticated WordPress Options Change
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version
Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Vulnerability: Missing Authorization to Course Category Creation
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image URl
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version
Plugin: AMP+ Plus
Vulnerability: Reflected Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated Arbitrary Account Changes
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: WP Maps – Display Google Maps Perfectly with Ease
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Cross Site Scripting via post_title parameter
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings
Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 7.0.6.2
Recommended Action: Update to version 7.0.6.2, or a newer patched version
Plugin: WP Custom Admin Interface
Vulnerability: Missing Authorization to Transients Deletion
Patched Version: 7.33
Recommended Action: Update to version 7.33, or a newer patched version
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Arbitrary Post Deletion via Cross-Site Request Forgery
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version
Plugin: ENL Newsletter
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Authenticated Access or Cross-Site Request Forgery leading to SQL Injection via orderby, order Parameters
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version
Plugin: Maps by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version
Plugin: HTML5 AV Manager
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Amazonify
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Arbitrary File Upload
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version
Plugin: WooPayments: Integrated WooCommerce Payments
Vulnerability: 5.6.1 Authentication Bypass and Privilege Escalation
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version
Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Vulnerability: Cross-Site Request Forgery via Multiple AJAX Actions
Patched Version: 121
Recommended Action: Update to version 121, or a newer patched version
Plugin: Social Share Boost
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: HTML5 MP3 Player with Playlist Free
Vulnerability: Full Path Disclosure
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version
Plugin: JobBoardWP – Job Board Listings and Submissions
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Mingle Forum
Vulnerability: SQL Injection
Patched Version: 1.0.33
Recommended Action: Update to version 1.0.33, or a newer patched version
Plugin: Dynamic Word Spinner: CSS3 Animated Rotation
Vulnerability: Missing Authorization via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Arbitrary File Upload
Patched Version: 2.0.77.3
Recommended Action: Update to version 2.0.77.3, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.15
Recommended Action: Update to version 2.88.15, or a newer patched version
Plugin: Category Specific RSS feed Subscription
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version
Plugin: WordPress Button Plugin MaxButtons
Vulnerability: Shortcode-Based Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version
Plugin: PHP Compatibility Checker
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Gallery – Photo Albums Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.50
Recommended Action: Update to version 1.3.50, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload via Path Traversal
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version
Plugin: CBX Bookmark & Favorite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version
Plugin: User Activity Tracking and Log
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version
Plugin: Better Delete Revision
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Vulnerability: Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version
Plugin: Bulk Comment Remove
Vulnerability: Cross-Site Request Forgery via brc_admin()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Prevent Landscape Rotation
Vulnerability: Cross-Site Request Forgery via adminpage.php
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version
Plugin: MemberSonic Lite Membership Site Plugin
Vulnerability: Authentication Bypass
Patched Version: 1.302
Recommended Action: Update to version 1.302, or a newer patched version
Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.19
Recommended Action: Update to version 2.0.19, or a newer patched version
Plugin: flickr-picture-backup
Vulnerability: Arbitrary file upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Min Max Control – Min Max Quantity & Step Control for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Plugin: BookX
Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Store Locator WordPress
Vulnerability: Reflected Cross-Site Scripting via ‘asl-nounce’
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version
Plugin: WordPress Spreadsheet
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Konnichiwa! Membership
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Multisite Content Copier/Updater
Vulnerability: Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: IMPress for IDX Broker
Vulnerability: Authenticated Arbitrary Post Creation, Modification, and Deletion
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: Featured Image from URL (FIFU)
Vulnerability: Missing Authorization on REST API routes
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: Advanced Woo Search
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.78
Recommended Action: Update to version 2.78, or a newer patched version
Plugin: WooCommerce
Vulnerability: Insecure Direct Object Reference via order_id Parameter
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version
Plugin: Ad Inserter – Ad Manager & AdSense Ads
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: Registration | User Registration and Invitation Codes Plugin for WordPress
Vulnerability: PHP Object Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Contest Gallery Pro
Vulnerability: Authenticated (Administrator+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version
Plugin: Import and export users and customers
Vulnerability: Missing Authorization via fire_cron REST endpoint
Patched Version: 1.24.7
Recommended Action: Update to version 1.24.7, or a newer patched version
Plugin: Pixel Cat – Conversion Pixel Manager
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Core: WordPress
Vulnerability: Reflected Cross-Site Scripting via Global Variables
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2
Plugin: SpiderCalendar
Vulnerability: SQL Injection
Patched Version: 1.5.52
Recommended Action: Update to version 1.5.52, or a newer patched version
Plugin: Debug Assistant
Vulnerability: Cross-Site Request Forgery via imlt_create_admin
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version
Plugin: MainWP Post Dripper Extension
Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: FareHarbor for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.9.25
Recommended Action: Update to version 1.9.25, or a newer patched version
Plugin: Floating Action Button
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Related Posts for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Clicky by Yoast
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via Comments via URLs
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3
Plugin: Easy Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version
Plugin: Prismatic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version
Plugin: Auto-hyperlink URLs
Vulnerability: Tab Nabbing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 13.2.6
Recommended Action: Update to version 13.2.6, or a newer patched version
Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version
Plugin: wordTube
Vulnerability: Remote File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version
Plugin: Easy Hide Login
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: FoxyPress
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version
Plugin: Event Calendar – Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Movies
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Customer Reviews for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version
Core: WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2
Plugin: Form Builder | Create Responsive Contact Forms
Vulnerability: Unauthenticated CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: St-Daily-Tip
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Chatbot for Messenger
Vulnerability: Missing Authorization
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version
Plugin: HTTP Auth
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version
Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more
Vulnerability: Authenticated (Subscriber+) SQL Injection via Export
Patched Version: 1.2.90
Recommended Action: Update to version 1.2.90, or a newer patched version
Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: WP Header Images
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: UserAgent-Spy
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions
Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: 2.46
Recommended Action: Update to version 2.46, or a newer patched version
Plugin: WP Blog and Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce
Vulnerability: Cross-Site Request Forgery to Order Information Disclosure
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Hana Flv Player
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Vulnerability: Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Highlight Sitewide Notice, Text, Button Menu
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version
Plugin: WP Easy Gallery – WordPress Gallery Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Content Audit
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Husker Portfolio
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ipBlockList
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Authenticated SQL Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.4.0
Recommended Action: Update to version 8.4.0, or a newer patched version
Plugin: Product Slider for WooCommerce by PickPlugins
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.42
Recommended Action: Update to version 1.13.42, or a newer patched version
Plugin: WP Repost
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BZScore – Live Score
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Shortcode Menu
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Faculty Staff and Student Directory Plugin – Campus Directory
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: Auto Affiliate Links
Vulnerability: SQL Injection
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: Easy Digital Downloads – PDF stamper
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Authenticated Cross-Site Scripting in Various Blocks
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Core: WordPress
Vulnerability: Authenticated Information Disclosure via REST-API
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3
Plugin: Contact Form DB – Elementor
Vulnerability: Elementor <= 1.7
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Easy Registration Forms
Vulnerability: CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Profile Extra Fields by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Wicked Folders
Vulnerability: Cross-Site Request Forgery on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version
Plugin: Simple:Press Forum
Vulnerability: Authenticated (Subscriber+) Path Traversal to Arbitrary File Deletion
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version
Core: WordPress
Vulnerability: Denial of Service via Long Password
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1
Plugin: Simple Event Planner
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Form Settings
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version
Plugin: Easy Org Chart
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Floating Social Media Links
Vulnerability: Remote File Inclusion via fsml-hideshow.js.php wpp parameter
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Core: WordPress
Vulnerability: Authorization Bypass
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Duplicate Page
Vulnerability: No subtitle
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: Flickr Justified Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version
Plugin: Contact Form Builder, Contact Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lazy Social Comments
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Simple Download Monitor
Vulnerability: Sensitive Data Exposure
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version
Plugin: Sociable
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP All Export Pro
Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: WC Sales Notification
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: CSV Injection
Patched Version: 3.3.14
Recommended Action: Update to version 3.3.14, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Missing Authorization
Patched Version: 1.14.8
Recommended Action: Update to version 1.14.8, or a newer patched version
Plugin: YourMembership Single Sign On – YM SSO Login
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: LayerSlider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.7.10
Recommended Action: Update to version 7.7.10, or a newer patched version
Plugin: GD Rating System
Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Social Feed Gallery
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: WP CSV Exporter
Vulnerability: CSV Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: MainWP UpdraftPlus Extension
Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version
Plugin: CPT Bootstrap Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version
Plugin: RSVPMaker
Vulnerability: Authenticated (Admin+) SQL Injection via $email value
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version
Plugin: Timed Content
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version
Plugin: WP Membership
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Qode Essential Addons
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: wp-unique-article-header-image
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PowerPress Podcasting plugin by Blubrry
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version
Plugin: Download Manager
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version
Plugin: History Timeline for Biography, Company History & Event Timeline
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce Vietnam Checkout
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Woocommerce Follow-ups
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version
Plugin: surveys
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.1.3.1
Recommended Action: Update to version 4.1.3.1, or a newer patched version
Plugin: Media Library Categories
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: WP Page Numbers
Vulnerability: Cross-Site Request Forgery via wp_page_numbers_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clone
Vulnerability: Sensitive Information Exposure
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: Google +1 by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: SEO Scout: Content Optimization, Keyword Research, Rank Tracking + SEO Testing
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Slider Feed
Vulnerability: Authenticated (Scubscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Bootstrap Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: wpForo Forum
Vulnerability: Privilege Escalation
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Scripting
Patched Version: 2.9.52
Recommended Action: Update to version 2.9.52, or a newer patched version
Plugin: MAZ Loader – Preloader Builder for WordPress
Vulnerability: SQL Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: BP Social Connect
Vulnerability: Authentication Bypass
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Add Shortcodes Actions And Filters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version
Plugin: OAuth Single Sign On – SSO (OAuth Client)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.20.3
Recommended Action: Update to version 6.20.3, or a newer patched version
Plugin: Custom Login Page
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accept Stripe Payments
Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version
Plugin: Participants Database
Vulnerability: Cross Site Request Forgery
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Directory Listings WordPress plugin – uListing
Vulnerability: Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: page-flip-image-gallery
Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ReFlex Gallery » WordPress Photo Gallery
Vulnerability: Arbitrary File Upload
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Disable Right Click For WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version
Plugin: Duplicate Post Page Menu & Custom Post Type
Vulnerability: Missing Authorization
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Cross-Site Request Forgery via getPluginStatus
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version
Plugin: Convert Pro
Vulnerability: Missing Authorization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: On Page SEO + Social Live Chat (Formerly OPS)
Vulnerability: No subtitle
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: VM Backups
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Email
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.66
Recommended Action: Update to version 1.2.66, or a newer patched version
Plugin: WP Symposium
Vulnerability: SQL Injections
Patched Version: 12.12
Recommended Action: Update to version 12.12, or a newer patched version
Plugin: RokStories
Vulnerability: Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Google Analytics Top Content Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: myghpay WooCommerce Payment Gateway
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Product Table Lite
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Lean WP
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CallRail Phone Call Tracking
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.4.10
Recommended Action: Update to version 0.4.10, or a newer patched version
Plugin: Database Backup for WordPress
Vulnerability: Authenticated Stored Cross-Site Scripting via backup_receipient Parameter
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Strong Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Scribble Maps
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Re-attacher by BestWebSoft
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Insert Estimated Reading Time
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BSK Forms Blacklist
Vulnerability: Authenticated (Administrator+) SQL Injection via ‘order’ and ‘orderby’
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Videos sync PDF
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: XML Sitemap Generator for Google
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: AdPush
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version
Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 7.6.7
Recommended Action: Update to version 7.6.7, or a newer patched version
Plugin: Restrict Categories
Vulnerability: Reflected Cross-Site Scripting via rc-search
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to one of the following versions, or a newer patched version: 1.8.7, 1.9.10, 2.0.5, 2.1.11, 2.2.9, 2.3.7
Plugin: WP Google Maps Pro
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version
Plugin: StagTools
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: ULeak Security & Monitoring Plugin
Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Loco Translate
Vulnerability: Authenticated PHP Code Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version
Plugin: Video Background
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Directory Traversal
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: YourChannel: Everything you want in a YouTube plugin.
Vulnerability: Cross-Site Request Forgery to Plugin Channel Reset
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: A/B Test for WordPress
Vulnerability: Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Contact form 7 DB
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: ElasticPress
Vulnerability: Prototype Pollution
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version
Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability: Arbitrary File Upload
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version
Plugin: WP Docs
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Core: WordPress
Vulnerability: Open Redirect
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: Abandoned Cart Recovery for WooCommerce
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4.1
Recommended Action: Update to version 1.0.4.1, or a newer patched version
Plugin: AllWebMenus WordPress Menu Plugin
Vulnerability: Remote File Inclusion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Import Export Suite for CSV and XML Datafeed
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version
Plugin: Medialist
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Total Security
Vulnerability: Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Plugin: LionScripts: IP Blocker Lite
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rencontre – Dating Site
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions
Vulnerability: Cross-Site Scripting
Patched Version: 2.44
Recommended Action: Update to version 2.44, or a newer patched version
Plugin: OSD Subscribe
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: QuBot – Chatbot Builder with Templates
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Sliding Social Icons
Vulnerability: Cross-Site Request Forgery and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Futurio Extra
Vulnerability: Sensitive Information Disclosure
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: SureTriggers: All-in-One WordPress Automation
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version
Plugin: Seriously Simple Stats
Vulnerability: Authenticated (Podcast manager+) SQL Injection via order_by
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Easy Appointments
Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 3.11.10
Recommended Action: Update to version 3.11.10, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: 1.2.997
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Coru LFMember
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mailjet Email Marketing
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version
Plugin: stripshow
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Global Flash Gallery
Vulnerability: Arbitrary File Upload
Patched Version: 0.15.2
Recommended Action: Update to version 0.15.2, or a newer patched version
Plugin: Shopping Cart & eCommerce Store
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 5.2.5
Recommended Action: Update to version 5.2.5, or a newer patched version
Plugin: Sticky Menu & Sticky Header
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.21
Recommended Action: Update to version 2.21, or a newer patched version
Plugin: Dynamic Widgets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version
Plugin: Minimum Purchase for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: JetBackup – WP Backup, Migrate & Restore
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.47
Recommended Action: Update to version 1.1.47, or a newer patched version
Plugin: A2 Optimized WP – Turbocharge and secure your WordPress site
Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version
Plugin: File Manager
Vulnerability: Unauthenticated Resource Access to Site Backups
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version
Plugin: MainWP Matomo Extension
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: MailPoet Newsletters (Previous)
Vulnerability: Spam Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Captcha Bypass
Patched Version: 1.15.21
Recommended Action: Update to version 1.15.21, or a newer patched version
Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version
Plugin: Termly – GDPR/CCPA Cookie Consent Banner
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version
Plugin: Live Chat with Messenger Customer Chat
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: DMSGuestbook
Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sermon Browser
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.45.16
Recommended Action: Update to version 0.45.16, or a newer patched version
Plugin: Album and Image Gallery plus Lightbox
Vulnerability: Missing Authorization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Reflected Cross-Site Scripting via font-size
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: WP Frontend Profile
Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.2.2
Recommended Action: Update to version 0.2.2, or a newer patched version
Plugin: Logo Carousel – Responsive Logo Slider, Logo Showcase, and Clients Logo Gallery
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version
Plugin: Ship To eCourier
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Cimy User Manager
Vulnerability: Arbitrary File Read
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: Magic Post Voice
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Syntax
Vulnerability: Remote Code Execution
Patched Version: 0.9.10
Recommended Action: Update to version 0.9.10, or a newer patched version
Plugin: Google Map
Vulnerability: SQL Injection
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version
Plugin: Advanced Booking Calendar
Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Gallery Metabox
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Subscribe
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version
Plugin: Simple Portfolio Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: WP Hide Pages
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Support Board
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Recently Viewed Products
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: CodeBard's Patron Button and Widgets for Patreon
Vulnerability: Reflected Cross-Site Scripting via ‘site_account’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version
Plugin: Exquisite PayPal Donation
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Insecure Content Warning
Vulnerability: Remote Code Execution
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version
Plugin: Simple:Press Forum
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Forum Replies
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version
Plugin: WP Maps – Display Google Maps Perfectly with Ease
Vulnerability: Authenticated SQL Injection via Orderby
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: 2.6.7.6
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Advanced Schedule Posts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Manager
Vulnerability: Authenticated (Contributor+) PHAR Deserialization
Patched Version: 3.2.50
Recommended Action: Update to version 3.2.50, or a newer patched version
Plugin: NextCellent Gallery – NextGEN Legacy
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.18
Recommended Action: Update to version 1.9.18, or a newer patched version
Plugin: Email Artillery (MASS EMAIL)
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Addon Elements
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version
Plugin: Export and Import Users and Customers
Vulnerability: Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: BulletProof Security
Vulnerability: Sensitive Information Disclosure
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version
Plugin: Crelly Slider
Vulnerability: SQL Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Etsy Shop
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 7.11.35
Recommended Action: Update to version 7.11.35, or a newer patched version
Plugin: Powerplay Gallery
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Vulnerability: Local File Inclusion
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version
Plugin: Easy Modal
Vulnerability: SQL Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Table Generator
Vulnerability: Missing Authorization to Table Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Page Ordering
Vulnerability: Open Redirect
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version
Plugin: GD Rating System
Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Download Monitor
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Go Pricing – WordPress Responsive Pricing Tables
Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: 404 Solution
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.35.0
Recommended Action: Update to version 2.35.0, or a newer patched version
Plugin: CPT Shortcode Generator
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Font Awesome
Vulnerability: API Token Exposure
Patched Version: 4.0.0-rc17
Recommended Action: Update to version 4.0.0-rc17, or a newer patched version
Plugin: Better WordPress reCAPTCHA (with no CAPTCHA reCAPTCHA)
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Resim Ara
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Time Sheets
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security
Vulnerability: Stored Cross-Site Scripting via HTTP_HOST
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version
Plugin: Complianz Premium – GDPR/CCPA Cookie Consent
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authorization Bypass
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: OOPSpam Anti-Spam
Vulnerability: Cross-Site Request Forgery via empty_ham_entries and empty_spam_entries
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version
Plugin: Stars Rating
Vulnerability: Denial of Service
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: Seed Social
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Mail logging – WP Mail Catcher
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0.0
Recommended Action: Update to version 2.6.0.0, or a newer patched version
Plugin: Popups – WordPress Popup
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Memberships Pro CCBill Gateway
Vulnerability: Insufficient Authorization
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version
Plugin: SpiderVPlayer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version
Plugin: Export WP Page to Static HTML/CSS
Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: StoryChief
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version
Plugin: WOWRestro – Online Ordering System For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version
Plugin: WordPress Popular Posts
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version
Plugin: ActiveCampaign – Forms, Site Tracking, Live Chat
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version
Plugin: Popup contact form
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FileBird – WordPress Media Library Folders & File Manager
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version
Plugin: Currency Converter Widget – Exchange Rates
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Arbitrary File Upload
Patched Version: 2.0.66
Recommended Action: Update to version 2.0.66, or a newer patched version
Plugin: SEO Redirection Plugin – 301 Redirect Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version
Plugin: Mail Masta
Vulnerability: SQL Injection via list_id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Royal Elementor Addons and Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.76
Recommended Action: Update to version 1.3.76, or a newer patched version
Plugin: Patreon WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: BackupBuddy
Vulnerability: Sensitive Information Disclosure
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: WatchTowerHQ
Vulnerability: Type Juggling to Authentication Bypass in check_ota
Patched Version: 3.6.17
Recommended Action: Update to version 3.6.17, or a newer patched version
Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YouTube Embed
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version
Plugin: eShop
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version
Plugin: Software License Manager
Vulnerability: Cross-Site Request Forgery leading to Arbitrary Domain Deletion
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version
Plugin: Jupiter X Core
Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version
Plugin: My YouTube Channel
Vulnerability: Missing Authorization
Patched Version: 3.23.0
Recommended Action: Update to version 3.23.0, or a newer patched version
Plugin: WooCommerce Customers Manager
Vulnerability: Authenticated Account Creation and Privilege Escalation
Patched Version: 26.5
Recommended Action: Update to version 26.5, or a newer patched version
Plugin: Accordion
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.43
Recommended Action: Update to version 2.2.43, or a newer patched version
Plugin: Booster Plus for WooCommerce
Vulnerability: Authenticated (Subscriber+) Order Modification
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version
Plugin: Copyright Proof
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mail On Update
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: MouseWheel Smooth Scroll
Vulnerability: Plugin’s Setting Update via Cross-Site Request Forgery
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version
Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: Twitter Friends Widget
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ninja Forms – The Contact Form Builder That Grows With You
Vulnerability: Cross-Site Request Forgery to Field Import and PHP Object Injection
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version
Plugin: Calendar Event Multi View
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.4.07
Recommended Action: Update to version 1.4.07, or a newer patched version
Plugin: RapidLoad – Optimize Web Vitals Automatically
Vulnerability: Cross-Site Request Forgery via ‘clear_uucss_logs’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version
Plugin: Ocean Extra
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: Advanced Contact form 7 DB
Vulnerability: Authenticated Arbitrary File Deletion
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Uploadify
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Booking Calendar
Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Cookie Notice & Consent
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version
Plugin: Checklist
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: Cardinity Payment Gateway for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: All-In-One Security (AIOS) – Security and Firewall
Vulnerability: Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Surbma | GDPR Proof Cookie Consent & Notice Bar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 17.6.0
Recommended Action: Update to version 17.6.0, or a newer patched version
Plugin: TS Webfonts for さくらのレンタルサーバ
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: Gallery Bank – WordPress Photo Gallery Plugin
Vulnerability: SQL Injection
Patched Version: 3.0.330
Recommended Action: Update to version 3.0.330, or a newer patched version
Plugin: Yoast SEO
Vulnerability: Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Modal Window – create popup modal window
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version
Plugin: Comment Highlighter
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
Patched Version: 0.0.9.19
Recommended Action: Update to version 0.0.9.19, or a newer patched version
Plugin: Maintenance Mode by Supsystic
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Permalink Manager Lite
Vulnerability: No subtitle
Patched Version: 2.2.15
Recommended Action: Update to version 2.2.15, or a newer patched version
Plugin: wordcamp-talks
Vulnerability: CSV Injection
Patched Version: 1.0.0-beta3
Recommended Action: Update to version 1.0.0-beta3, or a newer patched version
Plugin: WatuPRO
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.0.8
Recommended Action: Update to version 4.9.0.8, or a newer patched version
Plugin: SP Project & Document Manager
Vulnerability: Arbitrary File Upload
Patched Version: 2.6.1.4
Recommended Action: Update to version 2.6.1.4, or a newer patched version
Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 22.5
Recommended Action: Update to version 22.5, or a newer patched version
Plugin: Stamped.io Product Reviews & UGC for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Missing Authorization
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version
Plugin: Smooth Scroll Links [SSL]
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Clean Login
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version
Plugin: WPML
Vulnerability: Authorization Bypass
Patched Version: 3.1.9.1
Recommended Action: Update to version 3.1.9.1, or a newer patched version
Plugin: WordPress PDF Light Viewer Plugin
Vulnerability: Authenticated Command Injection
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version
Plugin: Frontend File Manager Plugin
Vulnerability: Unauthenticated HTML Injection leading to Spam Emails
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version
Plugin: Chained Quiz
Vulnerability: Cross-Site Request Forgery to Arbitrary Quiz Deletion and Copying
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version
Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version
Plugin: Login using WordPress Users ( WP as SAML IDP )
Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version
Plugin: Add Shortcodes Actions And Filters
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version
Plugin: MStore API – Create Native Android & iOS Apps On The Cloud
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: Easy Forms for Mailchimp
Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Form Name
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version
Plugin: WP Abstracts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version
Plugin: WP Survey Plus
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: My Calendar – Accessible Event Manager
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.4.22
Recommended Action: Update to version 3.4.22, or a newer patched version
Plugin: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Vulnerability: Authenticated (edit_popups+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability: Authenticated Blind SQL Injection
Patched Version: 1.5.64
Recommended Action: Update to version 1.5.64, or a newer patched version
Plugin: Team – Team Members Showcase Plugin
Vulnerability: WordPress Team Member Showcase Plugin <= 4.1.1
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version
Plugin: Formzu WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version
Plugin: Smarty for WordPress
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paytium: Mollie payment forms & donations
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: pootle button
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Authenticated Stored Cross-Site Scripting via Shortcode
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version
Plugin: Menu Swapper
Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Andrea Pernici News Sitemap for Google
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Share Buttons Plugin – AddThis
Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version
Plugin: Animate It!
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: GroupDocs.Comparison for Cloud
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery via ‘wpfc_remove_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Network Publisher
Vulnerability: Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.14.3
Recommended Action: Update to version 2.14.3, or a newer patched version
Plugin: Backend Localization
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: wpCentral
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress HTTPS (SSL)
Vulnerability: Missing Authorization to Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: bbp style pack
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version
Plugin: Limit Login Attempts (Spam Protection)
Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version
Plugin: Calendar Event Multi View
Vulnerability: Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version
Plugin: WP-Banners-Lite
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Woocommerce ESTO
Vulnerability: Cross-Site Request Forgery via saveSetting
Patched Version: 2.23.2
Recommended Action: Update to version 2.23.2, or a newer patched version
Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.44
Recommended Action: Update to version 2.0.44, or a newer patched version
Plugin: Trending/Popular Post Slider and Widget
Vulnerability: Cross-Site Request Forgery via wtpsw_post_view_count
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: WP Reroute Email
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend
Vulnerability: Privilege Escalation
Patched Version: 3.5.29
Recommended Action: Update to version 3.5.29, or a newer patched version
Plugin: Product Catalog Simple
Vulnerability: Cross-Site Request Forgery via ic_system_status
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: IgniteUp – Coming Soon and Maintenance Mode
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Insufficient Authorization to Comment Submission on Deleted Posts
Patched Version: 7.6.11
Recommended Action: Update to version 7.6.11, or a newer patched version
Plugin: Adning Advertising
Vulnerability: Arbitrary File Upload
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version
Plugin: WD Instagram Feed Premium
Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: ImageMagick Engine
Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Product Delivery Date for WooCommerce – Lite
Vulnerability: Missing Authorization
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version
Plugin: Canto
Vulnerability: Blind Server-Side Request Forgery via get.php
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Missing Authorization in ‘regenerateSitemaps’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Quiz Tool Lite
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Sticky Popup
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Cross-site request forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Injection Guard
Vulnerability: Cross-Site Request Forgery via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: TerraClassifieds – Simple Classifieds Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Subscription
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: MainWP Clone Extension
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: WP Time Slots Booking Form
Vulnerability: Improper Authorization Checks
Patched Version: 1.1.83
Recommended Action: Update to version 1.1.83, or a newer patched version
Plugin: Social Feed | All social media in one place
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting]
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: All Bootstrap Blocks
Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Interactive Medical Drawing of Human Body
Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Thank You Counter Button
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Companion Sitemap Generator – HTML & XML
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version
Plugin: WP eCommerce
Vulnerability: SQL Injection
Patched Version: 3.8.7.6
Recommended Action: Update to version 3.8.7.6, or a newer patched version
Plugin: CommentTweets
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Private Messages
Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: OneLogin SAML SSO
Vulnerability: Distributed Denial-of-Service
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: RSVP and Event Management
Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version
Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version
Plugin: Simple Mail Address Encoder
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Button Generator – easily Button Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: Educare – Students & Result Management System
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: VikBooking Hotel Booking Engine & PMS
Vulnerability: Cross-Site Request Forgery in savetmplfile function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: WP Symposium
Vulnerability: Unauthenticated SQL Injection
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version
Plugin: Activity Log – Monitor & Record User Changes
Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version
Plugin: WordPress Related Posts
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version
Plugin: uContext for Clickbank
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Easy Forms for Mailchimp
Vulnerability: Reflected Cross-Site Scripting via ‘sql_error’
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version
Plugin: WPSmartContracts
Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version
Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vulnerability: Privilege Escalation via Arbitrary User Meta Updates
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version
Plugin: 微信打赏(Wechat Reward)
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Availability Calendar
Vulnerability: Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Powie's WHOIS Domain Check
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.9.32
Recommended Action: Update to version 0.9.32, or a newer patched version
Plugin: ToTop Link
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping
Vulnerability: Missing Authorization to Log Export
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version
Plugin: Customify – Intuitive Website Styling
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Cross-Site Request Forgery to WPForm/Blocks Import
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: W3 Total Cache
Vulnerability: File Read / Directory Traversal
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version
Plugin: WP-Paginate
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: IP Spoofing
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version
Core: WordPress
Vulnerability: Denial of Service via XML
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: SQL Injection
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version
Plugin: Referrer Detector
Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Germanized for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Scripting
Patched Version: 7.1.19
Recommended Action: Update to version 7.1.19, or a newer patched version
Plugin: WP Extended Search
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Authenticated (Contributor+) SQL Injection via shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Post Gallery
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Lightbox & Gallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via name
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services
Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Core: WordPress
Vulnerability: Open Redirect
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3
Plugin: Appointment Booking Calendar
Vulnerability: SQL Injection
Patched Version: 1.1.24
Recommended Action: Update to version 1.1.24, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Custom Registration Forms, User Registration and User Login Plugin <= 4.6.0.2
Patched Version: 4.6.0.3
Recommended Action: Update to version 4.6.0.3, or a newer patched version
Plugin: Task Manager Pro – Task Management Plugin For WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: StatPressCN
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: directories
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.46
Recommended Action: Update to version 1.3.46, or a newer patched version
Plugin: This Day In History
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Relevanssi – A Better Search
Vulnerability: SQL Injection
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: Booking calendar, Appointment Booking System
Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-CommentNavi
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.12.2
Recommended Action: Update to version 1.12.2, or a newer patched version
Plugin: Codup WooCommerce Dynamic Pricing Table View
Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.1.5
Recommended Action: Update to version 1.2.1.5, or a newer patched version
Plugin: Ultimate Taxonomy Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Page Generator
Vulnerability: Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version
Plugin: Uploading SVG, WEBP and ICO files
Vulnerability: Arbitrary File Upload
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Social Sharing Plugin – Social Warfare
Vulnerability: Missing Authorization
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: cformsII
Vulnerability: CAPTCHA Bypass
Patched Version: 14.11
Recommended Action: Update to version 14.11, or a newer patched version
Plugin: Mimetic Books
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BuddyPress
Vulnerability: Insufficient Input Validation
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version
Plugin: LayerSlider
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: Aspose.Words – Import and Export word documents
Vulnerability: Arbitrary File Download
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: IMDB Profile Widget
Vulnerability: Local File Inclusion
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version
Plugin: Laposta Signup Embed
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting via Shortcodes
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1
Plugin: YourChannel: Everything you want in a YouTube plugin.
Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: 3CX Free Live Chat, Calls & WhatsApp
Vulnerability: Local File Inclusion
Patched Version: 9.4.3
Recommended Action: Update to version 9.4.3, or a newer patched version
Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Vulnerability: Missing Authorization to User Points Updates
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version
Plugin: Zippy
Vulnerability: Authenticated (Contributor+) Sensitive Information Disclosure
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Orbit Fox by ThemeIsle
Vulnerability: Authenticated (Author+) Server-Side Request Forgery via URL
Patched Version: 2.10.24
Recommended Action: Update to version 2.10.24, or a newer patched version
Plugin: Appointment Hour Booking – WordPress Booking Plugin
Vulnerability: Missing Authorization
Patched Version: 1.3.72
Recommended Action: Update to version 1.3.72, or a newer patched version
Plugin: WooCommerce Stripe Payment Gateway
Vulnerability: Missing Authorization
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version
Plugin: Tawk.To Live Chat
Vulnerability: Missing Authorization to Visitor Monitoring & Chat Removal
Patched Version: 0.6.0
Recommended Action: Update to version 0.6.0, or a newer patched version
Plugin: track-that-stat
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: AppPresser – Mobile App Framework
Vulnerability: Insecure Password Reset Mechanism
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor
Vulnerability: Missing Authorization via ‘data/update’ API Endpoint
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Apollo13 Framework Extensions
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: WP Activity Log Premium
Vulnerability: Cross-Site Request Forgery via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version
Plugin: WordPress Multisite User Sync/Unsync (Premium)
Vulnerability: No subtitle
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: ElasticPress
Vulnerability: Remote Code Execution
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version
Plugin: EZP Coming Soon Page
Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Laybuy Payment Extension for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Redirection
Vulnerability: Missing Authorization in ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version
Plugin: Accordion and Accordion Slider
Vulnerability: Missing Authorization via ‘wp_aas_get_attachment_edit_form’ and ‘wp_aas_save_attachment_data’
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: SB Uploader
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Import Export Lite
Vulnerability: Unauthenticated Sensitive Data Disclosure
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version
Plugin: Email Log
Vulnerability: Admin+ SQL Injection
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version
Plugin: WP-Cirrus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Contact Form Submissions
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.4.9.9
Recommended Action: Update to version 1.4.9.9, or a newer patched version
Plugin: Pricing Deals for WooCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version
Plugin: Ovic Responsive WPBakery
Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Download Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.22
Recommended Action: Update to version 3.1.22, or a newer patched version
Plugin: iPages Flipbook For WordPress
Vulnerability: Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: Easy Digital Downloads – Conditional Success Redirects
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version
Plugin: PDF.js Viewer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Hide My WP Ghost – Security & Firewall
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.0.20
Recommended Action: Update to version 5.0.20, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.19
Recommended Action: Update to version 8.1.19, or a newer patched version
Plugin: Classified Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version
Plugin: Stripe Payment Plugin for WooCommerce
Vulnerability: Authentication Bypass
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version
Plugin: Client Portal : SuiteDash Direct Login
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Floating Social Bar
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version
Plugin: Portfolio for Elementor & Image Gallery | PowerFolio
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: Twitget
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version
Plugin: Haxcan
Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Secure HTML5 Video Player
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Core: WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.7.9
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.9, 3.8.9, 3.9.7, 4.0.6, 4.1.6, 4.2.3
Plugin: Indeed Membership Pro
Vulnerability: Arbitrary File Upload
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version
Plugin: WP Fastest Cache
Vulnerability: Cross-Site Request Forgery via ‘deleteCssAndJsCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Loco Translate
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version
Plugin: Authorize.net Add-on for iThemes Exchange
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability: SQL Injection
Patched Version: 1.3.59
Recommended Action: Update to version 1.3.59, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.18
Recommended Action: Update to version 5.4.18, or a newer patched version
Plugin: Thrive Automator
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.17.1
Recommended Action: Update to version 1.17.1, or a newer patched version
Plugin: Login Screen Manager
Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies
Vulnerability: Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version
Plugin: BadgeOS
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.7.1.3
Recommended Action: Update to version 3.7.1.3, or a newer patched version
Plugin: 12 Step Meeting List
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.14.25
Recommended Action: Update to version 3.14.25, or a newer patched version
Plugin: WP Helper Premium
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Custom Login Page Styler
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version
Plugin: The Plus Addons for Elementor Page Builder
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version
Plugin: Appointment Booking Calendar
Vulnerability: SQL Injection
Patched Version: 1.2.25
Recommended Action: Update to version 1.2.25, or a newer patched version
Plugin: BP Group Documents
Vulnerability: Path Traversal
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: WooFramework Tweaks
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Page Builder: Pagelayer – Drag and Drop website builder
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Themify Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Vulnerability: Reflected Cross-Site Scripting via effects
Patched Version: 9.7.1
Recommended Action: Update to version 9.7.1, or a newer patched version
Plugin: Rich Widget
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP-Members Membership Plugin
Vulnerability: Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version
Plugin: WooCommerce
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: Zeno Font Resizer
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Nested Pages
Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.21
Recommended Action: Update to version 3.1.21, or a newer patched version
Plugin: bSuite
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 5 alpha 3
Recommended Action: Update to version 5 alpha 3, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Missing Authorization via wpas_edit_reply_ajax()
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Core: WordPress
Vulnerability: Stored Cross-Site Scripting via File Uploads
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1
Plugin: Contact Form and Calls To Action by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version
Plugin: WPB Show Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Oceanwp sticky header
Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Manager
Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 3.2.55
Recommended Action: Update to version 3.2.55, or a newer patched version
Plugin: BMI BMR Calculator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz Maker
Vulnerability: Content Spoofing
Patched Version: 6.3.9.5
Recommended Action: Update to version 6.3.9.5, or a newer patched version
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9.12.30
Recommended Action: Update to version 5.9.12.30, or a newer patched version
Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Vulnerability: Authorization Bypass and Cross-Site Request Forgery
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version
Plugin: Archivist – Custom Archive Templates
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version
Plugin: MailerLite – Signup forms (official)
Vulnerability: Signup forms <= 1.5.3
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version
Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Vulnerability: Cross-Site Scripting
Patched Version: 14.6
Recommended Action: Update to version 14.6, or a newer patched version
Core: WordPress
Vulnerability: Shortcode Execution in User Generated Content
Patched Version: 5.9.7
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.7, 6.0.5, 6.1.3, 6.2.2
Plugin: JS Job Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version
Plugin: Crazy Bone
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WIP Custom Login
Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: Gift Up Gift Cards for WordPress and WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.20.2
Recommended Action: Update to version 2.20.2, or a newer patched version
Plugin: Simple YouTube Responsive
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Social Rocket – Social Sharing Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Books & Papers
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.20220219
Recommended Action: Update to version 0.20220219, or a newer patched version
Plugin: Wp-Hide
Vulnerability: Missing Authorization to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Consultant
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quiz Maker
Vulnerability: Missing Authorization
Patched Version: 6.5.1.2
Recommended Action: Update to version 6.5.1.2, or a newer patched version
Plugin: WP Page Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: Dynamically Register Sidebars
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Loginizer
Vulnerability: Reflected Cross-Site Scripting via ‘limit_session[count]’
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version
Plugin: Dynamic Visibility for Elementor
Vulnerability: Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: Insert Pages
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version
Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Vulnerability: Authorization Bypass to Blocking Control Bypass
Patched Version: 1.9.10.69
Recommended Action: Update to version 1.9.10.69, or a newer patched version
Plugin: POEditor
Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version
Plugin: MultiParcels Shipping For WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version
Plugin: Comments – wpDiscuz
Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version
Plugin: Convertful – Your Ultimate On-Site Conversion Tool
Vulnerability: Missing Authorization via add_woo_coupon
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: phpinfo() WP
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version
Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.16.11
Recommended Action: Update to version 1.16.11, or a newer patched version
Plugin: Bootstrap Shortcodes
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tajer
Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HashThemes Demo Importer
Vulnerability: Missing Authorization to Database Wipe
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version
Plugin: Modern Events Calendar Lite
Vulnerability: Reflected Cross-Site Scripting via current_month_divider parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version
Plugin: WP-RSS-Spreadshirt-3DCube-Gallery
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version
Plugin: WP-EMail
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.67.3
Recommended Action: Update to version 2.67.3, or a newer patched version
Plugin: Photo Gallery by Ays – Responsive Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version
Plugin: CHP Ads Block Detector
Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version
Plugin: HT Portfolio – WordPress Portfolio Plugin for Elementor
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Scripts Organizer
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version
Plugin: Abandoned Cart Lite for WooCommerce
Vulnerability: Improper Authorization via wcal_preview_emails
Patched Version: 5.16.1
Recommended Action: Update to version 5.16.1, or a newer patched version
Plugin: Participants Database
Vulnerability: SQL Injection
Patched Version: 1.9.5.6
Recommended Action: Update to version 1.9.5.6, or a newer patched version
Plugin: WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log
Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Authorization Bypass
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version
Plugin: WPML
Vulnerability: Missing Authorization to Translation Job Status Change
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version
Plugin: WORDPRESS VIDEO GALLERY
Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.3.5
Recommended Action: Update to version 6.3.5, or a newer patched version
Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version
Plugin: wordpress-form-manager
Vulnerability: Authenticated Remote Command Execution
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Cookie Monster
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Dynamic Pricing for WooCommerce
Vulnerability: Cross-Site Request Forgery via migrateProductOnlyToCommon function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version
Plugin: WP-T-Wap
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Infinite Scroll – Ajax Load More
Vulnerability: Authenticated (Admin+) Arbitrary File Read via Directory Traversal
Patched Version: 5.5.4.1
Recommended Action: Update to version 5.5.4.1, or a newer patched version
Plugin: lasTunes
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Facebook Page Photo Gallery
Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Missing Authorization via listen
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version
Plugin: TNIT Filter Gallery Plugin
Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.0.7
Recommended Action: Update to version 0.0.7, or a newer patched version
Plugin: Related Posts for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: WP Custom Author URL
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.12.23
Recommended Action: Update to version 2.12.23, or a newer patched version
Plugin: Product Catalog Simple
Vulnerability: Sensitive Information Exposure via Product CSV
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Sharebar
Vulnerability: Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: Custom Field For WP Job Manager
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version
Plugin: WP Meta SEO
Vulnerability: Missing Authorization in ‘checkAllCategoryInSitemap’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version
Plugin: Download Monitor
Vulnerability: Authenticated Directory Traversal to Sensitive Information Exposure
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version
Plugin: Auto Upload Images
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version
Plugin: Auto More Tag
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SupportFlow
Vulnerability: Cross-Site Scripting via a ticket excerpt.
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version
Plugin: MashShare – Social Media Share Buttons, Social Share Icons
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version
Plugin: Slider Revolution
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 6.6.13
Recommended Action: Update to version 6.6.13, or a newer patched version
Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Vulnerability: Stored Cross-Site Scripting via Import
Patched Version: 3.35.0
Recommended Action: Update to version 3.35.0, or a newer patched version
Core: WordPress
Vulnerability: Arbitrary File Upload
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version
Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension
Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: Under Construction
Vulnerability: Cross-Site Request Forgery via admin_action_install_weglot
Patched Version: 3.97
Recommended Action: Update to version 3.97, or a newer patched version
Plugin: Cosmetsy Core
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Portfolio Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version
Plugin: Ray Enterprise Translation
Vulnerability: Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version
Plugin: AdPush
Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version
Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.30
Recommended Action: Update to version 7.13.30, or a newer patched version
Core: WordPress
Vulnerability: Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version
Plugin: World Travel Information
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: 301 Redirects – Easy Redirect Manager
Vulnerability: Easy Redirect Manager <= 2.40
Patched Version: 2.45
Recommended Action: Update to version 2.45, or a newer patched version
Plugin: Visual Form Builder
Vulnerability: Unauthenticated Information Disclosure
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version
Plugin: Woocommerce Follow-ups
Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version
Plugin: Elementor Website Builder – More than Just a Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via html_tag
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version
Plugin: Job Manager
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.7.25
Recommended Action: Update to version 0.7.25, or a newer patched version
Core: WordPress
Vulnerability: Security Hardening
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version
Plugin: Image Compressor & Optimizer – iLoveIMG
Vulnerability: iLoveIMG <= 1.0.5
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: LiveSync for WordPress
Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please rev