Watch Out Wednesday – January 24, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: We’re Open!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.38
Recommended Action: Update to version 1.38, or a newer patched version

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)

Vulnerability: Cross-Site Request Forgery in new_voucher_template.php
Patched Version: 4.3.6
Recommended Action: Update to version 4.3.6, or a newer patched version

Plugin: MOLIE – Instructure Canvas Linking tool

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Socializer – Simple & Easy Social Media Share Icons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authorization Bypass to Private Message Disclosure
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: User Activity Log

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: WidgetShortcode

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: SQL Injection
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.24.4
Recommended Action: Update to version 1.24.4, or a newer patched version

Plugin: Backup Migration

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Live Scores for SportsPress

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Header Footer Code Manager

Vulnerability: Authenticated SQL Injections
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: Race Condition to Multiple User Voting
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: AccessPress Social Icons

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: WP-DBManager

Vulnerability: Authenticated (Admin+) Remote Code Execution on Multi-Site
Patched Version: 2.80.8
Recommended Action: Update to version 2.80.8, or a newer patched version

Plugin: WP-Contact

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Slider

Vulnerability: Subscriber+ SQL Injection
Patched Version: 1.1.121
Recommended Action: Update to version 1.1.121, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Password Hash Extraction
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version

Plugin: Spiffy Calendar

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.9.2
Recommended Action: Update to version 4.9.2, or a newer patched version

Plugin: Edit Comments XT

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Authenticated (Admin+) SQL injection
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Catch Themes Demo Import

Vulnerability: Arbitrary File Upload
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Timely All-in-One Events Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Titan Framework

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Cross-Linker

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: SearchWP Premium

Vulnerability: Authenticated (Subscriber+) Nonce Leakage and Authorization Bypass
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthorized Profile Modification
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.5
Recommended Action: Update to version 6.0.5, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Cross-Site Scripting via p_name parameter
Patched Version: 1.5.63
Recommended Action: Update to version 1.5.63, or a newer patched version

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Missing Authorization
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Missing Authorization to Product Creation/Modification
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version

Plugin: Woocommerce Tabs Plugin, Add Custom Product Tabs

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-ContactForm

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.7.1.1
Recommended Action: Update to version 2.7.1.1, or a newer patched version

Plugin: WF Cookie Consent

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Math Comment Spam Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Blaze Slideshow

Vulnerability: Arbitrary File upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.33
Recommended Action: Update to version 1.2.33, or a newer patched version

Plugin: Facebook for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: BlogVault WordPress Backup Plugin – Migration, Staging, and Backups

Vulnerability: 1.44
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection via WP_Meta_Query
Patched Version: 4.1.34
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Plugin: Easy Digital Downloads – Simple Shipping

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Sitekit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe’ shortcode
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Free counter

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: VK Filter Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Contact Form builder with drag & drop for WordPress – Kali Forms

Vulnerability: Kali Forms <= 2.3.36
Patched Version: 2.3.37
Recommended Action: Update to version 2.3.37, or a newer patched version

Plugin: Visual Link Preview

Vulnerability: Unauthorised AJAX Calls
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: JS Job Manager

Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Restaurant Menu – Food Ordering System – Table Reservation

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: PDQ CSV

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Subscribe To Comments Reloaded

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 140219
Recommended Action: Update to version 140219, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Local File Inclusion
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Leyka

Vulnerability: Privilege Escalation via Admin Password Reset
Patched Version: 3.30.3
Recommended Action: Update to version 3.30.3, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 1.5.3.2
Recommended Action: Update to version 1.5.3.2, or a newer patched version

Plugin: Category Post List Widget

Vulnerability: Unauthenticated Stored Cross-Site Scripting via custom_css
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: The Awesome Feed – Custom Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Smart Slider 3

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.1.14
Recommended Action: Update to version 3.5.1.14, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Missing Authorization on Various AJAX Actions
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
Patched Version: 7.5.5
Recommended Action: Update to version 7.5.5, or a newer patched version

Plugin: Bloom Email Opt-In

Vulnerability: Privilege Escalation
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Ideal Interactive Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easing Slider

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.0.7
Recommended Action: Update to version 2.2.0.7, or a newer patched version

Plugin: MemberPress Downloads

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Recipe Cards For Your Food Blog from Zip Recipes

Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version

Plugin: JM Twitter Cards

Vulnerability: Full Path Disclosure
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Ruven Toolkit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IP Blacklist Cloud

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooDiscuz – WooCommerce Comments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Companion Sitemap Generator – HTML & XML

Vulnerability: Cross-Site Request Forgery and Local File Inclusion
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Vulnerability: Stored Cross Site Scripting
Patched Version: 3.1.28
Recommended Action: Update to version 3.1.28, or a newer patched version

Plugin: Simple Custom CSS and JS

Vulnerability: Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Missing Authorization via init
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization to Information Exposure
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: WPForms Pro

Vulnerability: CSV Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: Image vertical reel scroll slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Clipr

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Admin Language Change

Vulnerability: Authorization Bypass
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Product Input Fields for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.7.25
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.25, 3.8.25, 3.9.23, 4.0.22, 4.1.22, 4.2.19, 4.3.15, 4.4.14, 4.5.13, 4.6.10, 4.7.9, 4.8.5, 4.9.2

Plugin: Safe SVG

Vulnerability: Denial of Service
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Privilege Escalation
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Mingle Forum

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: Indeed Membership Pro

Vulnerability: Remote Image File Inclusion
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Plaintext Storage of Credentials
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Maspik – Advanced Spam Protection

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.7.9
Recommended Action: Update to version 0.7.9, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version

Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View

Vulnerability: Cross-Site Request Forgery via wpstream_settings
Patched Version: 4.4.10.6
Recommended Action: Update to version 4.4.10.6, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Content Deletion
Patched Version: 7.6.1
Recommended Action: Update to version 7.6.1, or a newer patched version

Plugin: WordPress Leads

Vulnerability: Authorization Bypass
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: WPAMS – Apartment Management System for wordpress

Vulnerability: Apartment Management System for wordpress Theme < 17-07-2019
Patched Version: 17-07-2019
Recommended Action: Update to version 17-07-2019, or a newer patched version

Plugin: Car Rental by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: SQL Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: BJ Lazy Load

Vulnerability: Remote File Inclusion via TimThumb
Patched Version: 1.0
Recommended Action: Update to version 1.0, or a newer patched version

Plugin: YouSayToo auto-publishing plugin

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Builder by Themify

Vulnerability: Email Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: WP phpMyAdmin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.0.4
Recommended Action: Update to version 5.2.0.4, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Contact Form 7 <= 1.3.3.2
Patched Version: 1.3.3.3
Recommended Action: Update to version 1.3.3.3, or a newer patched version

Plugin: Bubble Menu – Sticky Navigation with Floating Button Menu Solution

Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Core: WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_save_settings_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP Reset – Most Advanced WordPress Reset Tool

Vulnerability: Authenticated Stored Cross-Site Scripting via extra_data Parameter
Patched Version: 1.90
Recommended Action: Update to version 1.90, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version

Plugin: WP Booklet

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Unauthenticated PHP Objection Injection
Patched Version: 2.10.0.130
Recommended Action: Update to version 2.10.0.130, or a newer patched version

Plugin: Gallery – Video Gallery and YouTube Gallery

Vulnerability: Video Gallery and YouTube Gallery <= 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Comment Uploaded Image Filename
Patched Version: 7.6.12
Recommended Action: Update to version 7.6.12, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Server-Side Request Forgery
Patched Version: 8.7.4
Recommended Action: Update to version 8.7.4, or a newer patched version

Plugin: ChatBot Conversational Forms

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: Improper Access Control
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Subscriber+ Arbitrary File Creation/Upload/Deletion
Patched Version: 5.2.3
Recommended Action: Update to version 5.2.3, or a newer patched version

Plugin: MyBookTable Bookstore by Stormhill Media

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.21
Recommended Action: Update to version 11.21, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: PHP Object Injection
Patched Version: 6.9.4
Recommended Action: Update to version 6.9.4, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Unauthenticated PHP Object Injection in prepare_unread_status
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Easy Contact Form Solution

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Property Hive

Vulnerability: Remote Code Execution
Patched Version: 1.4.26
Recommended Action: Update to version 1.4.26, or a newer patched version

Plugin: Updraft

Vulnerability: Reflected Cross-Site Scripting via ‘backup_timestamp’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: YouTube Playlist Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.8
Recommended Action: Update to version 4.6.8, or a newer patched version

Plugin: WooCommerce Easy Duplicate Product

Vulnerability: Missing Authorization via wedp_duplicate_product_action
Patched Version: 0.3.0.8
Recommended Action: Update to version 0.3.0.8, or a newer patched version

Plugin: Filr – Secure document library

Vulnerability: Missing Authorization
Patched Version: 1.2.2.1
Recommended Action: Update to version 1.2.2.1, or a newer patched version

Plugin: KP Fastest Tawk.to Chat

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AS – Create Pinterest Pinboard Pages

Vulnerability: Authenticated Options Change to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Grid Portfolio – Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: PhotoXhibit

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.4.6
Recommended Action: Update to version 4.4.6, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_bulk_activate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: WP Admin UI Customize

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version

Plugin: WP Google Fonts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: ElasticPress

Vulnerability: Directory Traversal
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: CatalogX – Product Catalog Mode For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Sensei LMS – Online Courses, Quizzes, & Learning

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.18.0
Recommended Action: Update to version 4.18.0, or a newer patched version

Plugin: OpenInviter for WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info
Patched Version: 11.0.7
Recommended Action: Update to version 11.0.7, or a newer patched version

Plugin: WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: WP GDPR

Vulnerability: Missing Authorization Checks
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Time Slots Booking Form

Vulnerability: Cross-Site Request Forgery to Feedback Submission
Patched Version: 1.1.77
Recommended Action: Update to version 1.1.77, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.9.6
Recommended Action: Update to version 8.9.6, or a newer patched version

Plugin: Credova Financial

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: JivoChat Live Chat – WP live chat plugin for WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.5.4
Recommended Action: Update to version 1.3.5.4, or a newer patched version

Plugin: Read More Excerpt Link

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in admin_widgets_welcome function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: GigPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: Daily Inspiration Generator

Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ND Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.6
Recommended Action: Update to version 6.6, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: SQL Injection
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: WordPress Social Comments Plugin for Vkontakte Comments and Disqus Comments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Fix My Feed RSS Repair

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Google Analytics
Patched Version: 8.9.1
Recommended Action: Update to version 8.9.1, or a newer patched version

Plugin: WP Airbnb Review Slider

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Authentication Bypass
Patched Version: 3.7.1.6
Recommended Action: Update to version 3.7.1.6, or a newer patched version

Plugin: Gravity Forms

Vulnerability: SQL Injection
Patched Version: 1.9.3.6
Recommended Action: Update to version 1.9.3.6, or a newer patched version

Plugin: Visual Email Designer for WooCommerce

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: AJAX Thumbnail Rebuild

Vulnerability: Missing Authorization
Patched Version: 1.14
Recommended Action: Update to version 1.14, or a newer patched version

Plugin: CRM WordPress Plugin – RepairBuddy

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: DTracker

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: e-signature

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 1.5.6.8
Recommended Action: Update to version 1.5.6.8, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 5.1.5
Recommended Action: Update to version 5.1.5, or a newer patched version

Plugin: Twitch Player

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Site Reviews

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: Custom Product Tabs for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: WP Dialog

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VK Blocks Pro

Vulnerability: Stored (Contributor+) Cross-Site Scripting in Post
Patched Version: 1.54.0
Recommended Action: Update to version 1.54.0, or a newer patched version

Plugin: Zero Spam for WordPress

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 5.4.5
Recommended Action: Update to version 5.4.5, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.6.2
Recommended Action: Update to version 2.2.6.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Stored Cross-Site Scripting via Profile
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version

Plugin: WooCommerce Warranty Requests

Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: WordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & Rankings

Vulnerability: Cross Site Request Forgery
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.20.26
Recommended Action: Update to version 1.20.26, or a newer patched version

Plugin: Map Block for Google Maps

Vulnerability: Unprotected AJAX Action
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version

Plugin: WP Bootstrap Gallery

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HMS Testimonials

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 5.5.4
Recommended Action: Update to version 5.5.4, or a newer patched version

Plugin: Contact Form for WordPress – Ultimate Form Builder Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_duplicate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Document Embedder – Document Embedder Plugin

Vulnerability: Sensitive Data Exposure
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Weather Effect – Christmas, Santa, Snow Falling, Snowflake Effect

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Reflected Cross-Site Scripting via error message
Patched Version: 4.11.0
Recommended Action: Update to version 4.11.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Parameter Tampering
Patched Version: 3.2.15
Recommended Action: Update to version 3.2.15, or a newer patched version

Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting via Site Search
Patched Version: 1.15.1
Recommended Action: Update to version 1.15.1, or a newer patched version

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: SQL Injection
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via filenames
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: WordPress NextGen GalleryView

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 26.6
Recommended Action: Update to version 26.6, or a newer patched version

Plugin: mini-cart

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Cross-Site Request Forgery via maybe_duplicate_item
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Live Chat by Formilla – Real-time Chat & Chatbots Plugin

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via CSS
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: underConstruction

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.21
Recommended Action: Update to version 1.21, or a newer patched version

Plugin: WP Comment Remix

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: BuddyPress

Vulnerability: Authorization Bypass to Friend Invite
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 4.1.6.1
Recommended Action: Update to version 4.1.6.1, or a newer patched version

Plugin: Dave's WordPress Live Search

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Unite Gallery Lite

Vulnerability: Cross-Site Request Forgery & Authenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Maps Widget for Google Maps

Vulnerability: Cross-Site Request Forgery via dismiss_notice
Patched Version: 4.24
Recommended Action: Update to version 4.24, or a newer patched version

Plugin: Slideshow SE

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Open Redirection via redirect_to_https
Patched Version: 8.1.5
Recommended Action: Update to version 8.1.5, or a newer patched version

Plugin: WPSOLR – Elasticsearch and Solr search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version

Plugin: Request a Quote

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: Ultimate Form Builder <= 8.3.2
Patched Version: 8.3.3
Recommended Action: Update to version 8.3.3, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery via migrateCommonToProductOnly function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress <= 5.4
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Captcha by BestWebSoft – Spam Protection, Security Plugin for WordPress Forms

Vulnerability: CAPTCHA Bypass
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Falang multilanguage for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.18
Recommended Action: Update to version 1.3.18, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Reflected Cross-Site Scripting via ‘delete_mobile’
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 6.5.8
Recommended Action: Update to version 6.5.8, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting and Settings Reset
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version

Plugin: Tooltipy (tooltips for WP)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Chaty <= 3.0.2
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: NewStatPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Culture Object

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Compfight

Vulnerability: Cross-Site Scrpting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Arbitrary File Upload
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Better Click To Tweet

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.10.4
Recommended Action: Update to version 5.10.4, or a newer patched version

Plugin: Portable phpMyAdmin

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Sharebar

Vulnerability: SQL Injection
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Call Now Accessibility Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Core: WordPress

Vulnerability: Type Confusion
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.14, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: WatchTowerHQ

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 3.6.16
Recommended Action: Update to version 3.6.16, or a newer patched version

Plugin: Category Post List Widget

Vulnerability: Cross-Site Request Forgery via get_cplw_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NewStatPress

Vulnerability: SQL Injection
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Broken Link Manager

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version

Plugin: WP BrowserUpdate

Vulnerability: Cross-Site Request Forgery via wpbu_administration
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Internal Links Manager

Vulnerability: Multiple Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Recommended Products – EDD

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3.3
Recommended Action: Update to version 1.2.3.3, or a newer patched version

Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2309
Recommended Action: Update to version 2309, or a newer patched version

Plugin: Avada (Fusion) Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: GDPR Compliance & Cookie Consent

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: demon image annotation

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: WordPress NextGen GalleryView

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jquery accordion slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 0.72
Recommended Action: Update to version 0.72, or a newer patched version

Plugin: Simple SEO

Vulnerability: Cross-Site Request Forgery via multiple admin_post functions
Patched Version: 2.0.26
Recommended Action: Update to version 2.0.26, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: 2.0.15
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version

Plugin: Webriti SMTP Mail

Vulnerability: Cross-Site Request Forgery to options update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Showbiz Pro Responsive Teaser WordPress Plugin

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DrawBlog

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.81
Recommended Action: Update to version 0.81, or a newer patched version

Plugin: Product Filter for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Content Cards

Vulnerability: Cross-Site Scripting
Patched Version: 0.9.7
Recommended Action: Update to version 0.9.7, or a newer patched version

Plugin: wp-forecast

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0
Recommended Action: Update to version 8.0, or a newer patched version

Plugin: Media File Manager

Vulnerability: Directory Traversal to Directory Listing
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: firestats

Vulnerability: Remote File Inclusion
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: EZP Coming Soon Page

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: 1.0.74
Recommended Action: Update to version 1.0.74, or a newer patched version

Plugin: Booking Calendar Contact Form

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission
Patched Version: 1.2.35
Recommended Action: Update to version 1.2.35, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.62
Recommended Action: Update to version 4.62, or a newer patched version

Plugin: Disable User Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: WP Dummy Content Generator

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Quick Restaurant Menu

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: CALL ME NOW

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: LDAP Passback
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Core: WordPress

Vulnerability: Hash Collision
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: Portfolio Gallery

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Optima Express + MarketBoost IDX Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: underConstruction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.19
Recommended Action: Update to version 1.19, or a newer patched version

Plugin: myftp-ftp-like-plugin-for-wordpress

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.15.19
Recommended Action: Update to version 1.15.19, or a newer patched version

Plugin: Publish Confirm Message

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Pipdig Power Pack (P3)

Vulnerability: Backdoor
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version

Plugin: s2Framework

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: Missing Authorization to Redirect Creation
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: PDF & Print by BestWebSoft – WordPress Posts and Pages PDF Generator Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: MainWP Wordfence Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: VikRentCar Car Rental Management System

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: VK Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block
Patched Version: 1.64.0.0
Recommended Action: Update to version 1.64.0.0, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Text Editor
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version

Plugin: Comment Rating

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Top Bar

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: wSecure Lite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: DSGVO All in one for WP

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Lazy Load

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.6.1
Recommended Action: Update to version 0.6.1, or a newer patched version

Plugin: Campaign URL Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Create Link
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Autotitle for WordPress

Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Rezgo Online Booking

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: Telephone Number Linker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Link Juice Keeper

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Audio Merchant

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Facebook Members

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: WP Media Cleaner

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: WooCommerce Square

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: WPML

Vulnerability: Cross-Site Scripting in Accept-Language Header
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Export All URLs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Form Vibes – Database Manager for Forms

Vulnerability: Authenticated (Admininstrator+) SQL Injection
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Download Manager

Vulnerability: Missing Authorization
Patched Version: 3.1.18
Recommended Action: Update to version 3.1.18, or a newer patched version

Plugin: Admin Columns

Vulnerability: No subtitle
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: ADIF Log Search Widget

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 6.5.0.3
Recommended Action: Update to version 6.5.0.3, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Arbitrary File Upload
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Scoutnet Kalender

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Videos sync PDF

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Recip.ly Plugin

Vulnerability: Unauthenticated Arbitrary File Upload in uploadImage.php
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 0.5.28
Recommended Action: Update to version 0.5.28, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting via LaTeX markup within HTML elements
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Breadcrumbs by menu

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Vulnerability: Arbitrary Post Deletion
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Cross-Site Request Forgery
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version

Plugin: Appointment Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Open Redirect via atkpout.php
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Panda Pods Repeater Field

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WP-Testimonials

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: SQL Injection
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.0.2
Recommended Action: Update to version 1.6.0.2, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.4.8.3
Recommended Action: Update to version 3.4.8.3, or a newer patched version

Plugin: Vertical marquee plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Portfolio Responsive Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pagebar2

Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: 2.66
Recommended Action: Update to version 2.66, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Stock Ticker

Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_load
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version

Plugin: ALO EasyMail Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: Realia

Vulnerability: Cross-Site Request Forgery to User Email Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DeepL API translation plugin

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Ultimate Taxonomy Manager

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: visitor-maps

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.8.7
Recommended Action: Update to version 1.5.8.7, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Blind SQL Injection
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Rich Counter

Vulnerability: JavaScript Injection
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Youtube Channel Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Connections Business Directory

Vulnerability: Cross-Site Scripting
Patched Version: 8.5.9
Recommended Action: Update to version 8.5.9, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Chaty <= 2.8.2 Reflected Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: WhyDoWork AdSense

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Gutenberg Block Editor Toolkit – EditorsKit

Vulnerability: Authenticated (Contributor+) Code Injection
Patched Version: 1.31.6
Recommended Action: Update to version 1.31.6, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: Yatra – Tour and Travel Booking Solution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: MainWP Broken Link Checker

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Redux Framework

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.21
Recommended Action: Update to version 4.1.21, or a newer patched version

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Missing Authorization Checks
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: WP eCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.9.1
Recommended Action: Update to version 3.8.9.1, or a newer patched version

Plugin: MailPoet – Newsletters, Email Marketing, and Automation

Vulnerability: Reflected Cross-Site Scripting via URL parameter
Patched Version: 3.23.2
Recommended Action: Update to version 3.23.2, or a newer patched version

Plugin: Membership Simplified

Vulnerability: SQL Injection
Patched Version: 1.58
Recommended Action: Update to version 1.58, or a newer patched version

Plugin: Who Hit The Page – Hit Counter

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Restaurant & Cafe Addon for Elementor

Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Configurable Tag Cloud (CTC)

Vulnerability: Cross-Site Request Forgery via ctc_options_page()
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: File Manager

Vulnerability: Missing Authorization on AJAX Actions
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: UTM Tracker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting in Youtube URL Embeds
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Smart SEO Tool – SEO优化插件

Vulnerability: Cross-Site Request Forgery via ‘wp_ajax_wb_smart_seo_tool’
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Missing Authorization
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Web3 – Crypto wallet Login & NFT token gating

Vulnerability: Authentication Bypass
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.62
Recommended Action: Update to version 3.2.62, or a newer patched version

Plugin: WP Users Media

Vulnerability: Cross-Site Request Forgery in wpusme_save_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gecka Terms Thumbnails

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Note Press

Vulnerability: SQL Injection
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version

Plugin: Image Slider by NextCode – Photo & Video Slider

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zedna eBook download

Vulnerability: Directory Traversal
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Reflected Cross-Site Scripting via message_id
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Two-factor authentication (formerly IP Vault)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Reflected Cross Site Scripting issue on the [ld_profile] search field
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Insert Special Characters

Vulnerability: Improper Input Validation
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Meow Gallery

Vulnerability: SQL Injection
Patched Version: 4.1.9
Recommended Action: Update to version 4.1.9, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Authenticated Stored Cross-Site Scripting via Group Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Sensitive Data Exposure
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Contributor+) Blind SQL Injection via Shortcode
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.7
Recommended Action: Update to version 5.6.7, or a newer patched version

Plugin: WP Human Resource Management

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Crafty Social Buttons

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: CopySafe Web Protection

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.14
Recommended Action: Update to version 3.14, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.21.83
Recommended Action: Update to version 4.21.83, or a newer patched version

Plugin: Block wp-login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version

Plugin: Membership Database

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Directory Traversal
Patched Version: 0.8.9.6
Recommended Action: Update to version 0.8.9.6, or a newer patched version

Plugin: Custom Post Type UI

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: User Enumeration Bypass
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Local File Disclosure
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Tab Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: WPQA – Builder forms Addon For WordPress

Vulnerability: Builder forms Addon For WordPress < 5.2
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

Plugin: Opensea

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: PictoBrowser

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Authenticated Stored Cross-Site scripting via FB Pixel ID and Google Analytics ID
Patched Version: 1.6.13
Recommended Action: Update to version 1.6.13, or a newer patched version

Core: WordPress MU

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Emails & Newsletters with Jackmail

Vulnerability: Authenticated (Subscriber+) CSV Injecton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Syncee Collective Dropshipping

Vulnerability: Missing Authorization.
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Open User Map

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.27
Recommended Action: Update to version 1.3.27, or a newer patched version

Plugin: Social Buttons Pack by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: JS Multi Hotel

Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Missing Authorization via save_ditty_permissions_check
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: WPML

Vulnerability: SQL Injection via lang Parameter
Patched Version: 3.1.9.1
Recommended Action: Update to version 3.1.9.1, or a newer patched version

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 2.10.1
Recommended Action: Update to version 2.10.1, or a newer patched version

Plugin: WP-Lister Lite for Amazon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 9.7.4
Recommended Action: Update to version 9.7.4, or a newer patched version

Plugin: WP FEvents Book

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcode IMDB

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ooorl

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BulletProof Security

Vulnerability: Cross-Site Scripting
Patched Version: .51.1
Recommended Action: Update to version .51.1, or a newer patched version

Plugin: WooCommerce Subscription

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.0
Recommended Action: Update to version 4.6.0, or a newer patched version

Plugin: WP Hide & Security Enhancer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Sermon’e – Sermons Online

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Menu – Create Mobile-Friendly Menu

Vulnerability: Cross-Site Request Forgery to Setting Modification
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: Generate Images (AI) – Magic Post Thumbnail

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: User Meta – User Profile Builder and User management plugin

Vulnerability: Arbitrary File Upload
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Global Flash Gallery

Vulnerability: SQL Injection
Patched Version: 0.15.2
Recommended Action: Update to version 0.15.2, or a newer patched version

Plugin: Gallery PhotoBlocks

Vulnerability: Missing Authorization Checks
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authentication Bypass
Patched Version: 7.6.5
Recommended Action: Update to version 7.6.5, or a newer patched version

Plugin: Ninja Forms – File Uploads

Vulnerability: File Uploads <= 3.0.22
Patched Version: 3.0.23
Recommended Action: Update to version 3.0.23, or a newer patched version

Plugin: WP Mail

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: Hide Login Page Feature Protection Bypass
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: WP Simple Adsense Insertion

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Coditor – Code Editor

Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Booking Price Manipulation via bookingpress_confirm_booking
Patched Version: 1.0.75
Recommended Action: Update to version 1.0.75, or a newer patched version

Plugin: White Label CMS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Core: WordPress MU

Vulnerability: Username Enumeration
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Clockwork SMS Notfications

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image horizontal reel scroll slideshow

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.3
Recommended Action: Update to version 13.3, or a newer patched version

Plugin: Login for Google Apps

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Missing Authorization to Arbitrary Options Update
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: Optimize Database after Deleting Revisions

Vulnerability: Missing Authorization via ‘odb_csv_download’
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Easy Digital Downloads – htaccess Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Autoptimize

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.7.7
Recommended Action: Update to version 2.7.7, or a newer patched version

Plugin: WP Marketplace – Complete Shopping Cart / eCommerce Solution

Vulnerability: Arbitrary File Download
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 11.14
Recommended Action: Update to version 11.14, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Team Members

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘rawdata’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: eShop

Vulnerability: Cross-Site Scripting
Patched Version: 6.3.12
Recommended Action: Update to version 6.3.12, or a newer patched version

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.15.0
Recommended Action: Update to version 2.15.0, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.8.4.3
Recommended Action: Update to version 1.8.4.3, or a newer patched version

Plugin: f(x) TOC

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Pipes

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: 3DPrint

Vulnerability: Cross-Site Request Forgery to Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: License Manager for WooCommerce

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.77.32
Recommended Action: Update to version 1.0.77.32, or a newer patched version

Plugin: WordPress Slider Block Gutenslider

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Any Hostname

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_clear_cache_of_allsites_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.24
Recommended Action: Update to version 1.5.24, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Login Lockdown & Protection

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.07
Recommended Action: Update to version 2.07, or a newer patched version

Plugin: Ebook Store

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.78
Recommended Action: Update to version 5.78, or a newer patched version

Plugin: cformsII

Vulnerability: Unauthenticated stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: nextgen-smooth-gallery

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Scripting via MediaElement.js
Patched Version: 3.7.14
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.14, 3.8.14, 3.9.12, 4.0.11, 4.1.11, 4.2.8, 4.3.4, 4.4.3, 4.5.2

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6.59
Recommended Action: Update to version 1.6.59, or a newer patched version

Plugin: MainWP Maintenance Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: WordPress Contact Forms by Cimatti

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Chilexpress woo oficial

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Collapse-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Simple Share Buttons Adder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.25.6
Recommended Action: Update to version 1.25.6, or a newer patched version

Plugin: WordPress Tables

Vulnerability: Reflected Cross-Site Scripting via error_msg
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSSImport

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Login and Logout Redirect

Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store

Vulnerability: Missing Authorization via ‘putler_connector_sync_complete’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version

Plugin: ActiveCampaign for WooCommerce

Vulnerability: Missing Authorization to Error Log Deletion
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: PHP Object Injection
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Back In Stock Notifier for WooCommerce | Manage Inventory and Waitlist Product for WooCommerce

Vulnerability: Missing Authorization via API
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Complete Gallery Manager for WordPress | Galleries

Vulnerability: Arbitrary File Upload
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: WP-FlyBox

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 7.13.45
Recommended Action: Update to version 7.13.45, or a newer patched version

Plugin: WP Report Post

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Authors List

Vulnerability: Reflected Cross-Site Scripting via al_id
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: article2pdf

Vulnerability: Denial of Service
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 123.chat – 1:1 Live Video Chat Tool Plugin

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Chaty <= 3.1.1
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Core: WordPress

Vulnerability: Authentication Bypass
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Gwyn’s Imagemap Selector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress prettyPhoto

Vulnerability: DOM Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Rollback – Rollback Plugins and Themes

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Email Template Designer – WP HTML Mail

Vulnerability: Missing Authorization on Rest Route
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Portfolio Gallery – Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: FlagEm

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wordpress plugin rockhoist-badges

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Sensitive Information Exposure via Diff Response
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Display Data on your site! Create Dynamic Content Templates from any form of data. Works with ACF, Pods, BuddyPress/ BuddyBoss

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: HDW Player Plugin (Video Player & Video Gallery)

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Automatic YouTube Gallery

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery via admin_galleries
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: a3 Portfolio

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Contact Forms – Drag & Drop Contact Form Builder

Vulnerability: Drag & Drop Contact Form Builder <= 1.0.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Tape

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pay With Tweet

Vulnerability: Authenticated SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Countdown Block

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.3
Recommended Action: Update to version 2.10.3, or a newer patched version

Plugin: Corner Ad

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.57
Recommended Action: Update to version 1.0.57, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Access Code Feeder

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Engine

Vulnerability: Authenticated(Editor+) Arbitrary File Upload via add_image_from_url
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: SQL Injection
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Insufficient Access Control to Template Activation
Patched Version: 1.3.60
Recommended Action: Update to version 1.3.60, or a newer patched version

Plugin: CF7 Invisible reCAPTCHA

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Mega Menu Plugin for WordPress – AP Mega Menu

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: a3 Responsive Slider

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: wp-media-player

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spot.IM Comments

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: WP JS

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin and Site Enhancements (ASE)

Vulnerability: Password Protection Mode Security Feature Bypass
Patched Version: 5.8.0
Recommended Action: Update to version 5.8.0, or a newer patched version

Plugin: Post Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.31
Recommended Action: Update to version 1.1.31, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Advanced Product Labels for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.3.7
Recommended Action: Update to version 1.2.3.7, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authorization Bypass to Arbitrary File Upload/Delete
Patched Version: 1.0.84
Recommended Action: Update to version 1.0.84, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Cross-Site Request Forgery via delete
Patched Version: 6.2.0.0
Recommended Action: Update to version 6.2.0.0, or a newer patched version

Plugin: EmbedSocial – Social Media Feeds, Reviews and Galleries

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.28
Recommended Action: Update to version 1.1.28, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: article2pdf

Vulnerability: 0.27
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thinkun Remind

Vulnerability: Directory Traversal
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Sharebar

Vulnerability: Cross-Site Request Forgery to Settings Update & Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ibtana – WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2.1
Recommended Action: Update to version 1.2.2.1, or a newer patched version

Plugin: Code Snippets

Vulnerability: Cross-Site Request Forgery to Remote Code Execution
Patched Version: 2.14.0
Recommended Action: Update to version 2.14.0, or a newer patched version

Plugin: Magn WP Drag And Drop Media Uploader

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Structured Content (JSON-LD) #wpsc

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Quiz Maker

Vulnerability: SQL Injection
Patched Version: 6.2.0.9
Recommended Action: Update to version 6.2.0.9, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP Super Popup

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Continuous Image Carousel With Lightbox

Vulnerability: Reflected Cross-Site Scripting via search_term, order_by and order_pos
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: jQuery T(-) Countdown Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.3.24
Recommended Action: Update to version 2.3.24, or a newer patched version

Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin

Vulnerability: Directory Traversal to Information Exposure
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version

Plugin: Xerte Online

Vulnerability: Arbitrary File Upload
Patched Version: 0.36
Recommended Action: Update to version 0.36, or a newer patched version

Plugin: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.24
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.24, 3.8.24, 3.9.22, 4.0.21, 4.1.21, 4.2.18, 4.3.14, 4.4.13, 4.5.12, 4.6.9, 4.7.8, 4.8.4, 4.9.1

Plugin: File Gallery

Vulnerability: Reflected Cross-Site Scripting via post_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Blue Wrench Video Widget

Vulnerability: Cross-Site Request Forgery and to Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: GD Mail Queue

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Quick Page/Post Redirect Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Geo Mashup

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Up down image slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 12.1
Recommended Action: Update to version 12.1, or a newer patched version

Plugin: BSK PDF Manager

Vulnerability: Authenticated SQL Injection
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: WPGateway

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version

Plugin: Guest Author

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LiveChat – WP live chat plugin for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5.16
Recommended Action: Update to version 4.5.16, or a newer patched version

Plugin: Easy Modal

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 8.5
Recommended Action: Update to version 8.5, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Ban Bypass
Patched Version: 2.26.5
Recommended Action: Update to version 2.26.5, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Multiple Cross-Site Request Forgery vulnerabilities
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: flickrRSS

Vulnerability: Cross-Site Scripting via flickrRSS_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Eventify™ – Simple Events

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ajax-random-post

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Title Field Validation

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcodes by Angie Makes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.1.28
Recommended Action: Update to version 2.1.28, or a newer patched version

Plugin: WP Clone Menu

Vulnerability: Missing Authorization to Menu Clone
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GNUCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: 5 Anker Connect

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: TK Google Fonts GDPR Compliant

Vulnerability: Missing Authorization to Font Deletion
Patched Version: 2.2.12
Recommended Action: Update to version 2.2.12, or a newer patched version

Plugin: Ajax Pagination and Infinite Scroll

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YITH WooCommerce Waitlist

Vulnerability: Cross-Site Request forgery via ‘save_mail_status’
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘redirectionPageContent’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: tencentcloud-cos

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_move_object
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Product Code for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Missing Authorization via get
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Custom Header Images

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Broken Link Manager

Vulnerability: Cross-Site Scripting
Patched Version: 0.5.0
Recommended Action: Update to version 0.5.0, or a newer patched version

Plugin: lastfm-rotation

Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Call Now Button – The #1 Click to Call Button for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Support Board

Vulnerability: Authenticated SQL Injection
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.3.24
Recommended Action: Update to version 4.3.24, or a newer patched version

Plugin: Predictive Search for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: sourceAFRICA

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Timeline – Vertical Timeline

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup by Supsystic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.5
Recommended Action: Update to version 1.10.5, or a newer patched version

Plugin: WP Register Profile With Shortcode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Unite Gallery Lite

Vulnerability: Authenticated(Administrator+) Local File Inclusion via ‘view’ parameter
Patched Version: 1.7.60
Recommended Action: Update to version 1.7.60, or a newer patched version

Plugin: Wise Agent Lead Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: CYSTEME Finder, the admin files explorer

Vulnerability: Arbitrary File Upload/Read
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Featured Image Caption

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.8.11
Recommended Action: Update to version 0.8.11, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Tables & Table Charts <= 2.1.65
Patched Version: 2.1.66
Recommended Action: Update to version 2.1.66, or a newer patched version

Plugin: Events Manager Pro

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages

Vulnerability: Information Disclosure
Patched Version: 1.9.4.1
Recommended Action: Update to version 1.9.4.1, or a newer patched version

Plugin: WP Construction Mode

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.92
Recommended Action: Update to version 1.92, or a newer patched version

Plugin: Google Forms

Vulnerability: Unauthenticated Server Side Request Forgery
Patched Version: 0.92
Recommended Action: Update to version 0.92, or a newer patched version

Plugin: WooCommerce

Vulnerability: Settings Bypass leading to Account Creation
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: WP VK-付费内容插件(付费阅读/资料/工具软件资源管理)

Vulnerability: Cross-Site Request Forgery via AJAX actions
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WP-RecentComments

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Custom Menu Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Data Tables Generator by Supsystic

Vulnerability: Cross-Site Scripting
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version

Plugin: BigBlueButton

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: dsSearchAgent: WordPress Edition

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Rights Access Manager

Vulnerability: Missing Authorization
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Float to Top Button

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Amministrazione Aperta

Vulnerability: Admin+ Local File Inclusion
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: Accordion Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Authenticated (Editor+) Privilege Escalation
Patched Version: 8.7
Recommended Action: Update to version 8.7, or a newer patched version

Plugin: SpiderVPlayer

Vulnerability: Multiple Blind Authenticated SQL Injections
Patched Version: 1.5.18
Recommended Action: Update to version 1.5.18, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Missing Authorization via export_settings
Patched Version: 4.6.15
Recommended Action: Update to version 4.6.15, or a newer patched version

Plugin: Organization chart

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Missing Authorization
Patched Version: 3.13.1
Recommended Action: Update to version 3.13.1, or a newer patched version

Core: WordPress MU

Vulnerability: Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Promotion Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Yoast SEO

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Resize Image After Upload

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: True Ranker

Vulnerability: Directory Traversal/Arbitrary File Read
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Missing Authorization in ajaxCalculatePrice function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Recent Posts Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Share Button

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Translate Multilingual sites – TranslatePress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: MainWP Buddy Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Missing Authorization
Patched Version: 5.2.3.1
Recommended Action: Update to version 5.2.3.1, or a newer patched version

Plugin: Post Snippets – Custom WordPress Code Snippets Customizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via ‘snippet_content’
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Custom Permalinks

Vulnerability: No subtitle
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Advanced Booking Calendar

Vulnerability: Reflected Cross-Site Scripting via calId Parameter
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Online Lesson Booking

Vulnerability: Cross-Site Scripting
Patched Version: 0.8.7
Recommended Action: Update to version 0.8.7, or a newer patched version

Plugin: trust-form

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: WordPress Brute Force Protection – Stop Brute Force Attacks

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: WP BrowserUpdate

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Simpel Reserveren 3

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 404 to Start

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Arbitrary File Read
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Code Injection
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP CleanFix

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version

Plugin: Reusable Text Blocks

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Registration Forms

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Adminimize

Vulnerability: Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Compact WP Audio Player

Vulnerability: Setting Change via Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.64.1
Recommended Action: Update to version 3.64.1, or a newer patched version

Plugin: Name Directory

Vulnerability: Cross-Site Scripting
Patched Version: 1.25.3
Recommended Action: Update to version 1.25.3, or a newer patched version

Plugin: FormCraft

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version

Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu

Vulnerability: Missing Authorization
Patched Version: 7.0.18
Recommended Action: Update to version 7.0.18, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1

Plugin: Social Ring (Facebook Like, Google +1, ReTweet, LinkedIn and Pin It)

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WPML

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.3.7
Recommended Action: Update to version 4.3.7, or a newer patched version

Plugin: Import CSV Files

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Video Player for YouTube

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Minimal Coming Soon – Coming Soon Page

Vulnerability: Missing Authorization to Export Settings/Theme Change
Patched Version: 2.17
Recommended Action: Update to version 2.17, or a newer patched version

Plugin: WP Simple Galleries

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Hierarchy (parent) to post

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version

Plugin: EXMAGE – WordPress Image Links

Vulnerability: Admin+ Blind SSRF
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: URL Cloak & Encrypt

Vulnerability: Cross-Site Scripting
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Google Maps Anywhere

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: 5.9.1
Patched Version: 5.9.2
Recommended Action: Update to version 5.9.2, or a newer patched version

Plugin: Accessibility

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Exxp

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.174.1
Recommended Action: Update to version 5.174.1, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7.2
Recommended Action: Update to version 1.2.7.2, or a newer patched version

Plugin: Porto Theme – Functionality

Vulnerability: Functionality <= 2.11.1
Patched Version: 2.12.1
Recommended Action: Update to version 2.12.1, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 4.23.3
Recommended Action: Update to version 4.23.3, or a newer patched version

Plugin: Like Button Rating ♥ LikeBtn

Vulnerability: Server-Side Request Forgery
Patched Version: 2.6.32
Recommended Action: Update to version 2.6.32, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated Stored Cross Site Scripting
Patched Version: 5.22.3
Recommended Action: Update to version 5.22.3, or a newer patched version

Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BSK Contact Form 7 Blacklist

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated SQL Injection
Patched Version: 1.3.38
Recommended Action: Update to version 1.3.38, or a newer patched version

Plugin: Ultimate Category Excluder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Information Disclosure
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version

Plugin: Skippy WP-DB Backup (Legacy Core Plugin)

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPComplete

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: MWB Point of Sale (POS) for WooCommerce- Generate Barcodes, Process your Bills, Synchronize, Your Online-Offline Orders

Vulnerability: Missing Authorization
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 10.38
Recommended Action: Update to version 10.38, or a newer patched version

Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS

Vulnerability: Courses for Membership Add On <= 1.2.3
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Unauthenticated Sensitive Information Exposure via Debug Log File
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Ultimate TinyMCE

Vulnerability: Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: Bulk NoIndex & NoFollow Toolkit

Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.5.15
Recommended Action: Update to version 2.5.15, or a newer patched version

Plugin: WP Spell Check

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 9.13
Recommended Action: Update to version 9.13, or a newer patched version

Plugin: DSubscribers

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WP Events Calendar Plugin

Vulnerability: SQL Injection
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Image Hover Effects Css3

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form – Custom Builder, Payment Form, and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification

Vulnerability: Missing Authorization
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: cforms

Vulnerability: Cross-Site Scripting
Patched Version: 10.5
Recommended Action: Update to version 10.5, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery to Plugin Activation
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: IgniteUp – Coming Soon and Maintenance Mode

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Easy Plugin for AdSense

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.10
Recommended Action: Update to version 6.10, or a newer patched version

Plugin: Testimonial Rotator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Asgaros Forum

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.15.13
Recommended Action: Update to version 1.15.13, or a newer patched version

Plugin: Taskbuilder – WordPress Project & Task Management plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: IDOR to Sensitive Information Disclosure
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Favicon by RealFaviconGenerator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.23
Recommended Action: Update to version 1.3.23, or a newer patched version

Plugin: bbPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: Donations via PayPal

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Arbitrary File Upload
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version

Plugin: Find and Replace All

Vulnerability: Cross-Site Request Forgery to Arbitrary Content Replacement
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Bypass URL Validation
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Realia

Vulnerability: Arbitrary Post Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: ELEX WooCommerce Google Shopping (Google Product Feed)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Donations Made Easy – Smart Donations

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Access Control Bypass
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Feeds for YouTube (YouTube video, channel, and gallery plugin)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated Blind SQL Injection via current_page_type
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: All 404 Redirect to Homepage

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Open Redirect
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Cross Site Request Forgery
Patched Version: 6.11.4
Recommended Action: Update to version 6.11.4, or a newer patched version

Plugin: Form Store to DB

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Featured Posts by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: WP OAuth Server ( Login with WordPress )

Vulnerability: Authentication Bypass
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: ICS Calendar

Vulnerability: Authenticated(Contributor+) Directory Traversal via _url_get_contents
Patched Version: 10.12.0.2
Recommended Action: Update to version 10.12.0.2, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Directory Traversal to Arbitrary File Access
Patched Version: 3.7.16
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.16, 3.8.16, 3.9.14, 4.0.13, 4.1.13, 4.2.10, 4.3.6, 4.4.5, 4.5.4, 4.6.1

Plugin: Realia

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: WP Shopping Pages

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form DB

Vulnerability: Cross-Site Scripting
Patched Version: 2.8.20
Recommended Action: Update to version 2.8.20, or a newer patched version

Plugin: Mass Email To users

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via ‘entrant’
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: SEO Rank Reporter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Welcart e-Commerce

Vulnerability: SQL Injection
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.6.1
Recommended Action: Update to version 1.2.6.1, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Multiple Vulnerabilities
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

Vulnerability: Unauthenticated Reflected Cross-Site Scripting via Tag Filter Links
Patched Version: 2.0.13.1
Recommended Action: Update to version 2.0.13.1, or a newer patched version

Plugin: Complete Open Graph

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Title Experiments Free

Vulnerability: SQL Injection
Patched Version: 9.0.1
Recommended Action: Update to version 9.0.1, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: 2.9.42
Patched Version: 2.9.42.1
Recommended Action: Update to version 2.9.42.1, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Directory Traversal
Patched Version: 1.14.2.2
Recommended Action: Update to version 1.14.2.2, or a newer patched version

Plugin: Themify Portfolio Post

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Album Gallery – WordPress Gallery

Vulnerability: Cross-Site Request Forgery via album-gallery-column-settings.php
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Reflected Cross-Site Scripting via keyword
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: WP Image Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rife Elementor Extensions & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: VideoWhisper Video Presentation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.31
Recommended Action: Update to version 3.31, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: seolinkrotator

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Global Multisite Search

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CRM and Lead Management by vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.95
Recommended Action: Update to version 3.6.95, or a newer patched version

Plugin: uContext for Amazon

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Better Font Awesome

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Product Slider for WooCommerce by PickPlugins

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.13.22
Recommended Action: Update to version 1.13.22, or a newer patched version

Plugin: KD Coming Soon

Vulnerability: Unauthenticated PHP Object Injection via cetitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thumbnail carousel slider

Vulnerability: Stored Cross-Site Scripting and Cross-Site Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Solid Central – Site Management, Backups, Security, and Reporting

Vulnerability: Cross-Site Request Forgery and Missing Authorization via ‘hide_authenticate_notice’
Patched Version: 2.1.14
Recommended Action: Update to version 2.1.14, or a newer patched version

Plugin: User Profile Picture

Vulnerability: Authenticated Insecure Direct Object Reference
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: BuddyPress Extended Friendship Request

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: WP Backup+

Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subscribe to Category

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Login New User After Registration

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via alnuar_auto_login_new_user_after_registration_redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Security & Malware scan by CleanTalk

Vulnerability: Missing Authorization
Patched Version: 2.51
Recommended Action: Update to version 2.51, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery via wp_ajax_wp_compression_test
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.05
Recommended Action: Update to version 7.1.05, or a newer patched version

Plugin: Japanized For WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: ZoomSounds – WordPress Wave Audio Player with Playlist

Vulnerability: Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Be POPIA Compliant

Vulnerability: Sensitive Information Exposure
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Core: WordPress

Vulnerability: Shared User Instance Weakness
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Banner Effect Header

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Analyticator

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.9.4
Recommended Action: Update to version 6.4.9.4, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Easy Google Maps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.32
Recommended Action: Update to version 1.9.32, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Theme My Login

Vulnerability: Local File Inclusion
Patched Version: 6.3.10
Recommended Action: Update to version 6.3.10, or a newer patched version

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message
Patched Version: 3.1.20
Recommended Action: Update to version 3.1.20, or a newer patched version

Plugin: Menu Image, Icons made easy

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version

Plugin: SMTP by BestWebSoft

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: About Author

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Sliced Invoices – WordPress Invoice Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 14.0
Recommended Action: Update to version 14.0, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.20
Recommended Action: Update to version 1.10.20, or a newer patched version

Plugin: Image Zoom

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Job Board

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.7
Recommended Action: Update to version 2.10.7, or a newer patched version

Plugin: ANAC XML Bandi di Gara

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcodes and extra features for Phlox theme

Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Missing Authorization
Patched Version: 7.13.55
Recommended Action: Update to version 7.13.55, or a newer patched version

Plugin: Invite Anyone

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: DZS Video Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce PayPal Payments

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Lead Deletion
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Count per Day

Vulnerability: Arbitrary File Download
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: Cross-Site Scripting
Patched Version: 1.98
Recommended Action: Update to version 1.98, or a newer patched version

Plugin: SAML Single Sign On – SSO Login

Vulnerability: Cross-Site Scripting
Patched Version: 4.8.84
Recommended Action: Update to version 4.8.84, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Unauthenticated Stored Cross-Site Scripting via profile_title
Patched Version: 1.0.8.1
Recommended Action: Update to version 1.0.8.1, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: GDPR/CCPA Cookie Consent <= 6.4.4
Patched Version: 6.4.5
Recommended Action: Update to version 6.4.5, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcodes
Patched Version: 2.9.12
Recommended Action: Update to version 2.9.12, or a newer patched version

Plugin: wpDataTables (Premium)

Vulnerability: Improper Access Control leading to Table Permission Takeover
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Age Gate

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.16.4
Recommended Action: Update to version 2.16.4, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Easy Coming Soon

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Image and Video Lightbox, Image PopUp

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: WordPress Font Uploader

Vulnerability: Arbitrary File Upload
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Elastic Email Sender

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Admin+ Arbitrary File Upload
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.15
Recommended Action: Update to version 2.9.15, or a newer patched version

Plugin: GamePress – The Game Database Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Unauthenticated Privilege Escalation via User Roles
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version

Plugin: Use-Your-Drive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.18.3
Recommended Action: Update to version 1.18.3, or a newer patched version

Plugin: Splashscreen

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FeedWordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2015.0514
Recommended Action: Update to version 2015.0514, or a newer patched version

Plugin: Meteor Slides

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.30.5
Recommended Action: Update to version 5.30.5, or a newer patched version

Plugin: Mailchimp for WooCommerce

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: adminer

Vulnerability: Security Bypass to Database Login
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-in-One WP Migration and Backup

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: String locator

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 8.1
Recommended Action: Update to version 8.1, or a newer patched version

Core: WordPress

Vulnerability: Revision History Disclosure
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: GD Rating System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Download Manager

Vulnerability: Refleced Cross-Site Scripting
Patched Version: 3.2.60
Recommended Action: Update to version 3.2.60, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: MathJax-LaTeX

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Ultimate Dashboard – Custom WordPress Dashboard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.7.12
Recommended Action: Update to version 3.7.12, or a newer patched version

Plugin: EELV Newsletter

Vulnerability: Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 2.1.23
Recommended Action: Update to version 2.1.23, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated SQL Injection via cg_Fields
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: SAML Single Sign On – SSO Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.76
Recommended Action: Update to version 4.8.76, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Arbitrary File Upload
Patched Version: 2.8.1.2
Recommended Action: Update to version 2.8.1.2, or a newer patched version

Plugin: WP-Invoice – Web Invoice and Billing

Vulnerability: Unauthorized Settings Change
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Easy Contact Form Pro

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.1.9
Recommended Action: Update to version 1.1.1.9, or a newer patched version

Plugin: OneLogin SAML SSO

Vulnerability: Authentication Bypass
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: alfred24 Click & Collect

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Aajoda Testimonials

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: FreshMail For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pricing Deals for WooCommerce

Vulnerability: Missing Authorization via vtprd_ajax_clone_rule
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Register Plus

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom 404 Pro

Vulnerability: Unauthenticated Stored Cross-Site Scripting via logging
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: Star CloudPRNT for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: Sensitive Information Exposure
Patched Version: 0.9.2.5
Recommended Action: Update to version 0.9.2.5, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: WP Front-End Repository Manager

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ImageLinks Interactive Image Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: WP Custom Cursors | WordPress Cursor Plugin

Vulnerability: Cross-Site Request Forgery to Cursor Manipulation
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Core: WordPress

Vulnerability: All known versions
Patched Version: No patched version available
Recommended Action: No known patch available. Review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance.

Plugin: bbPress Toolkit

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leaflet Maps Marker Pro

Vulnerability: SQL Injection
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Duplicate Page and Post

Vulnerability: Malicious Backdoor
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPGlobus – Multilingual WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Keap Landing Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cookie Bar

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: MX Time Zone Clocks

Vulnerability: Contributor+ Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: EventON

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Content Copy Protection & Prevent Image Save

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shop

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.4.3.19
Recommended Action: Update to version 3.4.3.19, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Incorrect Authorization Checks Allowing Post Modification
Patched Version: 1.0.126
Recommended Action: Update to one of the following versions, or a newer patched version: 1.0.126, 2.3.12

Plugin: Virtual Robots.txt

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Google XML Sitemap for Images

Vulnerability: Cross-Site Request Forgery via image_sitemap_generate
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: wp-FileManager

Vulnerability: Arbitrary File Upload
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 118
Recommended Action: Update to version 118, or a newer patched version

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Sensitive Information Disclosure
Patched Version: 2.53
Recommended Action: Update to version 2.53, or a newer patched version

Plugin: Calendar_plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LayerSlider

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.7
Recommended Action: Update to version 5.5.7, or a newer patched version

Plugin: WP HTML Author Bio

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loginizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Simple Retail Menus

Vulnerability: SQL Injection
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Quick Page/Post Redirect Plugin

Vulnerability: Redirect Security Bypass
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Leaflet Maps Marker Pro

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: FileOrganizer – Manage WordPress and Website Files

Vulnerability: Authenticated (Admin+) Arbitrary File Access
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WP Affiliate Disclosure

Vulnerability: Cross-Site Request Forgery via check_capability
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version

Plugin: Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Vulnerability: Cross Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Shariff for WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: WordPress Language

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MainWP Google Analytics Extension

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via style
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: 3xSocializer

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cryptographp

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Spam Protection Bypass
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Debug Bar – Enable WP_DEBUG from admin dashboard

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.86
Recommended Action: Update to version 1.86, or a newer patched version

Plugin: WP SOCIAL BOOKMARK MENU

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced XML Reader

Vulnerability: External Entity Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Missing Authorization
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: eID Easy

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: Booking.com Product Helper

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery via bulk_actions
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Time-Based Blind SQL Injection
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: N5 Upload Form

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Brafton

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: OSM – OpenStreetMap

Vulnerability: OpenStreetMap <= 6.0
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: External Links – nofollow, noopener & new window

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: 2.56
Recommended Action: Update to version 2.56, or a newer patched version

Plugin: Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha

Vulnerability: 1.1.1
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: WP Upload Restriction

Vulnerability: No subtitle
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Share-one-Drive

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version

Plugin: Advanced Local Pickup for WooCommerce

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Lead Generated

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.25
Recommended Action: Update to version 1.25, or a newer patched version

Plugin: Better RSS Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery via process_deactivate_product
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: The School Management – Education & Learning Management

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: WP Activity Log

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Express Shop

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘layouts’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Divi Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.17.3
Recommended Action: Update to version 2.17.3, or a newer patched version

Plugin: Appointment Booking and Scheduling Calendar Plugin – Webba Booking

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: VK Blocks

Vulnerability: Authenticated(Contributor+) Settings Update
Patched Version: 1.57.0.10
Recommended Action: Update to version 1.57.0.10, or a newer patched version

Plugin: Icons Font Loader – Load Various Web Fonts & Icons on WP

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Popup by Supsystic

Vulnerability: Prototype Pollution
Patched Version: 1.10.19
Recommended Action: Update to version 1.10.19, or a newer patched version

Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Make Connector

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Laposta Signup Embed

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Contact Form Builder by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.1
Recommended Action: Update to version 4.10.1, or a newer patched version

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin

Vulnerability: Missing Authorization
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Interactive Image Map Builder

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Real3D Flipbook

Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Contributor+ Stored Cross-Site Scripting via File Thumbnail
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.0.18
Recommended Action: Update to version 3.0.18, or a newer patched version

Plugin: Coru LFMember

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form for WordPress – Ultimate Form Builder Lite

Vulnerability: SQL Injection to PHP Object Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: NOO Timetable

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slide Anything – Responsive Content / HTML Slider and Carousel

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: Mega Main Menu

Vulnerability: Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RSVPMaker

Vulnerability: Authenticated (Admin+) SQL Injection via ‘delete’ parameter
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version

Plugin: Contact Form Check Tester

Vulnerability: Authenticated (Subscriber+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress Export Import – WordPress extension for LearnPress

Vulnerability: Export/Import Courses <= 4.0.2
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: No subtitle
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: WP Offload SES Lite

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Download Monitor

Vulnerability: Cross-Site Scripting via p Parameter
Patched Version: 3.3.6.2
Recommended Action: Update to version 3.3.6.2, or a newer patched version

Plugin: wptf-image-gallery

Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 3.7.13
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.13, 3.8.13, 3.9.11, 4.0.10, 4.1.10, 4.2.7, 4.3.3, 4.4.2

Plugin: Ptengine – Heatmap Analytics

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: WordPress Photo Gallery – Image Gallery

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPE Indoshipping

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.5.0
Recommended Action: Update to version 6.5.0, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: WP CSV to Database – Insert CSV file content into WordPress database

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Gallery Plugin

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Related YouTube Videos

Vulnerability: Cross-site Request Forgery
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: API Bearer Auth

Vulnerability: Cross-Site Scripting
Patched Version: 20190907
Recommended Action: Update to version 20190907, or a newer patched version

Plugin: Very Simple Breadcrumb

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Vendors

Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: 2.1.79
Recommended Action: Update to version 2.1.79, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Missing Authorization
Patched Version: 1.0.42.2
Recommended Action: Update to version 1.0.42.2, or a newer patched version

Plugin: Podlove Podcast Publisher

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.3.16
Recommended Action: Update to version 2.3.16, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Directory Listing
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Theme My Login 2fa

Vulnerability: 2FA Bypass via Brute Force
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Add Posts to Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery via delete_profiles_data
Patched Version: 1.4.1.5
Recommended Action: Update to version 1.4.1.5, or a newer patched version

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.2.8
Recommended Action: Update to version 8.2.8, or a newer patched version

Plugin: intouch

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Contact Form, Drag and Drop Form Builder Plugin – Live Forms

Vulnerability: SQL Injection
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Podcasting Plugin by TSG

Vulnerability: Remote File Inclusion
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Administrator Open Redirect
Patched Version: 3.4.34
Recommended Action: Update to version 3.4.34, or a newer patched version

Plugin: Simple Photo Gallery

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0.35
Recommended Action: Update to version 2.0.35, or a newer patched version

Plugin: My Site Audit

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.25
Recommended Action: Update to version 1.2.25, or a newer patched version

Plugin: Email Artillery (MASS EMAIL)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.28.0
Recommended Action: Update to version 1.28.0, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Insufficient Authorization
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: CMS Tree Page View

Vulnerability: Missing Authorization Checks
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Authenticated SQL Injection
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: WordPress Social Login

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 3.0.102
Recommended Action: Update to version 3.0.102, or a newer patched version

Plugin: Enhanced Plugin Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: wp-tmkm-amazon

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: RokIntroScroller

Vulnerability: Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Autocomplete Location field Contact Form 7

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WP Private Message

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘addRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Zotpress

Vulnerability: Reflected Cross-Site Scripting via ‘PHP_SELF’
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Missing Authorization
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Duplicator Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.11.1
Recommended Action: Update to version 4.5.11.1, or a newer patched version

Plugin: All Video Gallery Plugin for WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GD Star Rating

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: vSlider Multi Image Slider for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version

Plugin: Participants Database

Vulnerability: SQL Injection
Patched Version: 1.5.4.9
Recommended Action: Update to version 1.5.4.9, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version

Plugin: Add to home screen WP Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Reflected Cross-Site Scripting via ‘data’
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: RD Station

Vulnerability: Cross-Site Request Forgery to Plugin Log Deletion
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Core: WordPress

Vulnerability: Missing Authorization Checks on create_post
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Google Doc Embedder

Vulnerability: SQL Injection
Patched Version: 2.5.17
Recommended Action: Update to version 2.5.17, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: Authenticated Arbitrary Plugin Deactivation and Settings Modification
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Product Category Tree

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventON

Vulnerability: Insecure Direct Object Reference to Unauthorized Post Access
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Vulnerability: Missing Authorization to Category Update
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Page Restrict

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: 404 Solution

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.34.0
Recommended Action: Update to version 2.34.0, or a newer patched version

Plugin: Add to Feedly

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.32
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1

Plugin: WPCargo Track & Trace

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 6.9.0
Recommended Action: Update to version 6.9.0, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.6
Recommended Action: Update to version 2.11.6, or a newer patched version

Plugin: SoundCloud Is Gold

Vulnerability: Missing Authorization to Soundcloud User Add
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Tabs

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Sensitive Information Disclosure
Patched Version: 20220216
Recommended Action: Update to version 20220216, or a newer patched version

Core: WordPress

Vulnerability: Weak Multi-Site Activation Key for User and Site Signup
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: Floating Action Button

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Extra Charges To Payment Gateway For WooCommerce (Standard)

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Userlike – WordPress Live Chat plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: SportsPress – Sports Club & League Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.15.23
Recommended Action: Update to version 4.15.23, or a newer patched version

Plugin: Cross Slide

Vulnerability: Multiple Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Contact form 7 DB

Vulnerability: SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: User Access Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_html_tag
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: WooCommerce Pre-Orders

Vulnerability: Cross-Site Request Forgery to Order Cancellation
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Top 10 – WordPress Popular posts by WebberZone

Vulnerability: Missing Authorization on tptn_ajax_clearcache
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Social Login by BestWebSoft

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.2
Recommended Action: Update to version 0.2, or a newer patched version

Plugin: HM Multiple Roles

Vulnerability: Privilege Escalation via Arbitrary Role Change
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Uploader

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Sharing Toolkit

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Quasar form free – Contact Form Builder for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘id’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PayPal Pro Add-on for iThemes Exchange

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: PDF & Print Button Joliprint

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Google Maps v3 Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Login WP

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.2.29
Recommended Action: Update to version 1.2.2.29, or a newer patched version

Plugin: Mail logging – WP Mail Catcher

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Missing Authorization
Patched Version: 1.8.16
Recommended Action: Update to version 1.8.16, or a newer patched version

Plugin: Email Queue by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Zendrop – Global Dropshipping

Vulnerability: SQL Injection in setMetaData
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Privilege Escalation
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Login by Auth0

Vulnerability: Insecure Direct Object Reference
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Vulnerability: SQL Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Vulnerability: Authenticated PHAR Deserialization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Simple Popup Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Add User

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: CSV Injection
Patched Version: 1.2.6.5
Recommended Action: Update to version 1.2.6.5, or a newer patched version

Plugin: Core Tweaks WP Setup

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MailerLite – Signup forms (official)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: CSV Injection
Patched Version: 5.9.7.2
Recommended Action: Update to version 5.9.7.2, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: Better Font Awesome

Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.3.18
Recommended Action: Update to version 3.3.18, or a newer patched version

Plugin: HTML filter and csv-file search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: GDPR Cookie Consent by Supsystic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Font Awesome More Icons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpForo Forum

Vulnerability: Cross-Site Scripting via langid parameter
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor
Patched Version: 3.7.20
Recommended Action: Update to version 3.7.20, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Smart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – Buttonizer

Vulnerability: Smart Floating Action Button <= 2.5.4
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: BuddyPress

Vulnerability: Missing Authorization to Group Creation
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Survey Maker

Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Dynamic Word Spinner: CSS3 Animated Rotation

Vulnerability: Cross-Site Request Forgery via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Genki Pre-Publish Reminder

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WIP Custom Login

Vulnerability: Cross-Site Request Forgery via save_option
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.77.3
Recommended Action: Update to version 2.0.77.3, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 9.7.2
Recommended Action: Update to version 9.7.2, or a newer patched version

Plugin: simple-popup-images

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: GS Insever Portfolio

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Order Export & Order Import for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 0.9.69
Recommended Action: Update to version 0.9.69, or a newer patched version

Plugin: Portfolio – WordPress Portfolio Plugin

Vulnerability: Cross-Site Request Forgery in rtport_spare_me
Patched Version: 2.8.9
Recommended Action: Update to version 2.8.9, or a newer patched version

Plugin: WP Category Post List Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Portrait-Archiv.com Photostore

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version

Plugin: Leads and Visitor Insights

Vulnerability: Authorization Bypass
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: SQL Injection
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: wp-football

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Form Builder CP

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.32
Recommended Action: Update to version 1.2.32, or a newer patched version

Plugin: EU Cookie Law for GDPR/CCPA

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting via code
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: Helpful

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.4.59
Recommended Action: Update to version 4.4.59, or a newer patched version

Plugin: AGCA – Custom Dashboard & Login Page

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.9
Recommended Action: Update to version 6.9, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Client Interface <= 3.9.1
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: CKEditor for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.3.1
Recommended Action: Update to version 4.5.3.1, or a newer patched version

Plugin: IBPS Online Exam Plugin for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Scripting via Customizer
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: Dyslexiefont Free

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: RokStories

Vulnerability: Denial of Service
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.6.20
Recommended Action: Update to version 4.6.20, or a newer patched version

Plugin: Simple Ticker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.06
Recommended Action: Update to version 3.06, or a newer patched version

Plugin: Rich Reviews by Starfish

Vulnerability: SQL Injection
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: SpiderVPlayer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce

Vulnerability: Missing File Type Validation
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: Poll, Survey, Questionnaire and Voting system

Vulnerability: Unauthenticated Blind SQL Injection
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 17.0.18
Recommended Action: Update to version 17.0.18, or a newer patched version

Plugin: WooCommerce Ship to Multiple Addresses

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: PCA Predict

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 115
Recommended Action: Update to version 115, or a newer patched version

Plugin: Organization chart

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Cross-Site Request Forgery via admin_slides
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Mail Masta

Vulnerability: SQL Injection via id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gestion-Pymes

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: 4.1.5.2 Authorization Bypass
Patched Version: 4.1.5.3
Recommended Action: Update to version 4.1.5.3, or a newer patched version

Plugin: Simple Membership

Vulnerability: Authenticated (Admin+) SQL Injections
Patched Version: 4.0.4
Recommended Action: Update to version 4.0.4, or a newer patched version

Plugin: WooCommerce Warranty Requests

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity
Patched Version: 1.3.13
Recommended Action: Update to version 1.3.13, or a newer patched version

Plugin: Tiny carousel horizontal slider plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: jRSS Widget

Vulnerability: Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: External Videos

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Hide Admin Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Converter for Media – Optimize images | Convert WebP & AVIF

Vulnerability: Unauthenticated Open Redirect
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: bbp style pack

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.6.8
Recommended Action: Update to version 5.6.8, or a newer patched version

Plugin: reCaptcha by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.28
Recommended Action: Update to version 1.28, or a newer patched version

Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping

Vulnerability: WCMultiShipping <= 2.3.7
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: contus-video-comments

Vulnerability: Remote File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WHA Crossword

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpDataTables (Premium)

Vulnerability: Blind SQL Injection via length Parameter
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Simple Link Directory

Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version

Plugin: XML for Google Merchant Center

Vulnerability: Reflected Cross-Site Scripting via page parameter
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Member Hero

Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AFS Analytics

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.16
Recommended Action: Update to version 4.16, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Authentication Bypass
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Pricing Table by Supsystic

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting and Setting Changes
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: WP SEO Tags

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.21
Recommended Action: Update to version 2.5.21, or a newer patched version

Plugin: Booqable Rental Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.4.16
Recommended Action: Update to version 2.4.16, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated SQL Injection via order & orderby Parameters
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: Login with phone number

Vulnerability: Unauthenticated Remote Plugin Deletion
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.20.2
Recommended Action: Update to version 2.2.20.2, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Cross-Site Scripting
Patched Version: .52.5
Recommended Action: Update to version .52.5, or a newer patched version

Plugin: Testimonial WordPress Plugin – AP Custom Testimonial

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.29
Recommended Action: Update to version 3.1.29, or a newer patched version

Plugin: Dropshipping & Affiliation with Amazon

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin side data storage for Contact Form 7

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.4.2
Recommended Action: Update to version 1.0.4.2, or a newer patched version

Plugin: Yandex Metrica Counter

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Menu Extension

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.2.6
Recommended Action: Update to version 6.4.2.6, or a newer patched version

Plugin: Image Export

Vulnerability: Path Traversal
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: SAML Single Sign On – SSO Login

Vulnerability: Cross-Site Scripting
Patched Version: 4.8.73
Recommended Action: Update to version 4.8.73, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: LayerSlider

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version

Plugin: AnyMind Widget

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: DOM-based Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Trust Payments Gateway for WooCommerce (JavaScript Library)

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service via oEmbed Protocol
Patched Version: 3.7.15
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.15, 3.8.15, 3.9.13, 4.0.12, 4.1.12, 4.2.9, 4.3.5, 4.4.4, 4.5.3

Plugin: Media File Renamer: Rename for better SEO (AI-Powered)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.4
Recommended Action: Update to version 1.9.4, or a newer patched version

Plugin: Download Monitor

Vulnerability: Cross-Site Scripting via sort Parameter
Patched Version: 3.3.6.2
Recommended Action: Update to version 3.3.6.2, or a newer patched version

Plugin: qTranslate X

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Vulnerability: Subscriber+ Arbitrary Settings Update
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Display Widgets

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.04
Recommended Action: Update to version 2.04, or a newer patched version

Plugin: WCP Contact Form

Vulnerability: Missing Authorization via downloadCsv
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Activity Log

Vulnerability: Authenticated(Administrator+) SQL Injection via txtsearch
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Complianz Premium – GDPR/CCPA Cookie Consent

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_start_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: VR Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: AJAX Random Posts

Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.16.66
Recommended Action: Update to version 1.16.66, or a newer patched version

Plugin: Waiting: One-click countdowns

Vulnerability: Authenticated (Subscriber+) SQL Injection via ‘pbc_down[meta][id]’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.0.27
Recommended Action: Update to version 6.0.27, or a newer patched version

Plugin: Meta pixel for WordPress

Vulnerability: PHP Object Injection
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Podcast Subscribe Buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.74
Recommended Action: Update to version 3.74, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Admin+ SQL Injection
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version

Plugin: Inspirational Quote Rotator

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Responsive Testimonials Slider And Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Podlove Podcast Publisher

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.95.1
Recommended Action: Update to version 1.0.95.1, or a newer patched version

Plugin: Crowdsignal Dashboard – Polls, Surveys & more

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: MP3-jPlayer

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 8.0.1
Recommended Action: Update to version 8.0.1, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: Missing Authorization via redirect_pay_for_order_to_update_payment_method
Patched Version: 5.9.1
Recommended Action: Update to version 5.9.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated WordPress Options Changes via AJAX
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: rtMedia for WordPress, BuddyPress and bbPress

Vulnerability: Local File Inclusion
Patched Version: 3.7.19
Recommended Action: Update to version 3.7.19, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Authorization Bypass
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: MapSVG

Vulnerability: SQL Injection
Patched Version: 6.2.20
Recommended Action: Update to version 6.2.20, or a newer patched version

Plugin: Event Notifier

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Google Alert and Twitter Plugin

Vulnerability: Multiple Vulnerabilities
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Table

Vulnerability: Local File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: Simple Ads Manager

Vulnerability: Multiple SQL Injections
Patched Version: 2.7.97
Recommended Action: Update to version 2.7.97, or a newer patched version

Plugin: Flat Preloader

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Work The Flow File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Contributor+ Arbitrary Thumbnail Removal
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.9.18
Recommended Action: Update to version 2.9.18, or a newer patched version

Plugin: WP Mega Menu

Vulnerability: Unauthenticated Settings Update to Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Interactive Image Map Plugin – Draw Attention

Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: Display Custom Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LB Mixed Slideshow for WordPress

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: leenk.me

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Easy Digital Downloads – Upload File

Vulnerability: Arbitrary File Upload/Deletion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Conversion Ninja

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Admin Management Xtended

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Facebook Survey Pro

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Domain Redirect

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nexter Extension

Vulnerability: Authenticated(Editor+) Remote Code Execution via metabox
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: OnePress Social Locker

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: SQL Injection
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Upload Media By URL

Vulnerability: Cross-Site Request Forgery via ‘umbu_download’
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3.4
Recommended Action: Update to version 1.5.3.4, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Simple PopUp

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chartify – WordPress Chart Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: CataBlog

Vulnerability: Authenticated (Editor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Catalog Feed by PixelYourSite

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: MailChimp Forms by MailMunch

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.14.2
Recommended Action: Update to version 2.14.2, or a newer patched version

Plugin: Ketchup Restaurant Reservations

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version

Plugin: WooCommerce Cart & Floating Cart

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Admin Account Creation
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Simple Membership

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version

Plugin: My Private Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WP Forum Server

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: proquoter

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: miniOrange Discord Integration

Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: YITH Request a Quote for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Shortcode for Current Date

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: JSM file_get_contents() Shortcode

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery via Shortcode
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.13
Recommended Action: Update to version 1.7.13, or a newer patched version

Plugin: ALD – AliExpress Dropshipping and Fulfillment for WooCommerce Premium

Vulnerability: AliExpress Dropshipping and Fulfillment for WooCommerce Premium <= 1.1.0
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: File Manager

Vulnerability: Sensitive Information Exposure via Backup Filenames
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: Show-Hide / Collapse-Expand

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Ajax Search Lite – Live Search & Filter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.5
Recommended Action: Update to version 4.11.5, or a newer patched version

Plugin: ActiveDEMAND

Vulnerability: Missing Authorization Checks
Patched Version: 0.2.28
Recommended Action: Update to version 0.2.28, or a newer patched version

Plugin: Import / Export Customizer Settings

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Post Meta Data Manager

Vulnerability: Missing Authorization to Post, Term, and User Meta Deletion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Ibtana – WordPress Website Builder

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.1.4.9
Recommended Action: Update to version 1.1.4.9, or a newer patched version

Plugin: CMS Tree Page View

Vulnerability: Reflected Cross-Site Scripting via ‘post_type’
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin

Vulnerability: Missing Authorization to Cache Deletion
Patched Version: 1.2.50.0
Recommended Action: Update to version 1.2.50.0, or a newer patched version

Plugin: WP Guppy

Vulnerability: Information Disclosure
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Recently

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Block IPs for Gravity Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: gAppointments – Appointment booking addon for Gravity Forms

Vulnerability: Appointment booking addon for Gravity Forms <= 1.9.7
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Social Media Widget by Acurax

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Auto Location for WP Job Manager

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Multiple Cross-Site Request Forgery
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Click to Chat – HoliThemes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.18.1
Recommended Action: Update to version 3.18.1, or a newer patched version

Plugin: Export to Text

Vulnerability: Unauthenticated Post Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Universal Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Image Hover Effects for Elementor with Lightbox and Flipbox

Vulnerability: Caption Hover with Carousel <= 2.8
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: User Post Gallery – UPG

Vulnerability: UPG <= 2.19
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: UniConsent CMP for IAB TCF GPP Consent Mode

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Question Title
Patched Version: 8.1.11
Recommended Action: Update to version 8.1.11, or a newer patched version

Plugin: LH Password Changer

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HD Quiz

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: WP Js External Link Info

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Cross-Site Request Forgery via apbct_settings__update_account_email
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version

Plugin: Maps Plugin using Google Maps for WordPress – WP Google Map

Vulnerability: Subscriber+ Arbitrary Post Deletion and Plugin Settings Update
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Malicious SVG
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Contact Form for WordPress – Ultimate Form Builder Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: InPost Gallery

Vulnerability: Local File Inclusion
Patched Version: 2.1.2.1
Recommended Action: Update to version 2.1.2.1, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: All In One Favicon

Vulnerability: Authenticated(Admin+) Directory Traversal
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: SMTP Mailing Queue

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Vertical scroll recent post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated SQL Injection via user_id
Patched Version: 19.1.5.1
Recommended Action: Update to version 19.1.5.1, or a newer patched version

Plugin: Safe SVG

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: School Management System – WPSchoolPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Directory Traversal
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: BuddyPress

Vulnerability: 1.5-1.5.4
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Quick Paypal Payments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.7.26.4
Recommended Action: Update to version 5.7.26.4, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Injection Guard

Vulnerability: Cross-Site Request Forgery to Whitelist Update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Five Minute Webshop

Vulnerability: Authenticated (Admin+) SQL Injection via id
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Nested Pages

Vulnerability: Missing Authorization
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Easy SVG Allow

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Activation Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO by 10Web

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via mf shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: PayGreen – Ancienne version

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clean Login

Vulnerability: Cross-Site Scripting
Patched Version: 1.12.6.4
Recommended Action: Update to version 1.12.6.4, or a newer patched version

Plugin: WP Open Street Map

Vulnerability: Cross-Site Request Forgery via wp_openstreetmaps
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: Restaurant Reservations

Vulnerability: Options Change
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Ready! Ecommerce Shopping Cart

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: Event Registration Calendar By vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: miwoftp

Vulnerability: Cross-Site Request Forgery to Arbitrary File Deletion
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Core: WordPress

Vulnerability: Same Origin Policy Bypass
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Toggle The Title

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Exit Box Lite

Vulnerability: Full Path Dislcosure
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Core: WordPress

Vulnerability: XML External Entity (XXE) Weakness
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: Site Reviews

Vulnerability: Missing Authorization
Patched Version: 6.10.3
Recommended Action: Update to version 6.10.3, or a newer patched version

Plugin: FAQs Manager

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Layer Slider

Vulnerability: Cross-Site Request Forgery via save_slide_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Plugin Mobile App Native 3.0

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Any Extension to Pages

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: SAML Single Sign On – SSO Login Standard

Vulnerability: Open Redirect
Patched Version: 16.0.8
Recommended Action: Update to version 16.0.8, or a newer patched version

Plugin: Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard

Vulnerability: Directory Traversal
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: MPL-Publisher — Ebook & Audiobook Creator

Vulnerability: Various Plugins (Various Versions)
Patched Version: 1.29.2
Recommended Action: Update to version 1.29.2, or a newer patched version

Plugin: Button Builder – Buttons X

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Cross-Site Request Forgery to Product Limit Update
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: Missing Authorization
Patched Version: 5.4.6
Recommended Action: Update to version 5.4.6, or a newer patched version

Plugin: Easy Form Builder

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.7.1
Recommended Action: Update to version 2.5.7.1, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Cross-Site Scripting
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: BestWebSoft's Twitter

Vulnerability: Cross-Site Scripting
Patched Version: 2.55
Recommended Action: Update to version 2.55, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.19
Recommended Action: Update to version 1.15.19, or a newer patched version

Plugin: Ultimate Addons for Beaver Builder

Vulnerability: Authenticated(Contributor+) Privilege Escalation
Patched Version: 1.35.15
Recommended Action: Update to version 1.35.15, or a newer patched version

Plugin: Amazon Einzeltitellinks

Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Alpine Photo Tile for Instagram

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: WhitePage

Vulnerability: Cross-Site Request Forgery via params_api_form.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lightweight Accordion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.15
Recommended Action: Update to version 1.5.15, or a newer patched version

Plugin: WPO365 | Mail Integration for Office 365 / Outlook

Vulnerability: reflected Cross-Site Scripting via error_description
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Drag and Drop Multiple File Upload – Contact Form 7

Vulnerability: Contact Form 7 <= 1.3.7.3
Patched Version: 1.3.7.4
Recommended Action: Update to version 1.3.7.4, or a newer patched version

Plugin: Ultimate SMS Notifications for WooCommerce

Vulnerability: CSV Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Import Cross-Site Scripting
Patched Version: 1.12.1
Recommended Action: Update to version 1.12.1, or a newer patched version

Plugin: BERTHA AI. Your AI co-pilot for WordPress and Chrome

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.11.10.8
Recommended Action: Update to version 1.11.10.8, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Information Disclosure
Patched Version: 2.0.8
Recommended Action: Update to one of the following versions, or a newer patched version: 2.0.8, 2.1.6, 2.2.9, 2.3.9, 2.4.6, 2.5.4, 2.6.5, 2.7.4, 2.8.4, 2.9.5, 3.0.5, 3.1.4, 3.2.4, 3.3.5, 3.4.5, 3.5.5, 3.6.3, 3.7.4, 3.8.4, 3.9.8, 4.0.5, 4.1.2, 4.2.3, 4.3.3, 4.4.3, 4.5.1, 4.6.1, 4.7.2, 4.8.3, 4.9.1, 5.0.1, 5.1.2, 5.2.3, 5.3.2, 5.4.2, 5.5.3, 5.6.3, 5.7.3, 5.8.2, 5.9.2, 6.0.2, 6.1.3, 6.2.3, 6.3.5, 6.4.4, 6.5.2, 6.6.3, 6.7.2, 6.8.3, 6.9.2, 7.0.3, 7.1.3, 7.2.3, 7.3.3, 7.4.3, 7.5.5, 7.6.2, 7.7.4, 7.8.2, 7.9.2, 8.0.1, 8.1.2, 8.2.4, 8.3.1, 8.4.3, 8.5.1, 8.6.2, 8.7.2, 8.8.3, 8.9.2, 9.0.3, 9.1.1, 9.2.2, 9.3.3, 9.4.2, 9.5.3, 9.6.2, 9.7.1

Plugin: twitterDash

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Review Stream

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Missing Authorization to Arbitrary Post Deletion
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Scripting
Patched Version: 0.4.5
Recommended Action: Update to version 0.4.5, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.4.2
Recommended Action: Update to version 3.0.4.2, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.4.0.1
Recommended Action: Update to version 4.4.0.1, or a newer patched version

Plugin: Void Elementor Post Grid Addon for Elementor Page builder

Vulnerability: Missing Authorization to Review Notice Dismissal
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Firelight Lightbox

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.18
Recommended Action: Update to version 1.8.18, or a newer patched version

Plugin: All in One SEO Pro – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Admin+) Server Side Request Forgery
Patched Version: 4.2.6
Recommended Action: Update to version 4.2.6, or a newer patched version

Plugin: Contact Form X

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Swift SMTP (formerly Welcome Email Editor)

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0.7
Recommended Action: Update to version 5.0.7, or a newer patched version

Plugin: CP Contact Form with PayPal

Vulnerability: Authenticated Feedback Submission
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version

Plugin: GB Team Stats

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Document Embedder – Document Embedder Plugin

Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Media File Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 4.6.9
Recommended Action: Update to version 4.6.9, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘attach_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.32
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1

Plugin: hybrid-composer

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: CBI Referral Manager

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Elegant Testimonial

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: English WordPress Admin

Vulnerability: Unauthenticated Open Redirect
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Missing Access Controls
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Authorization Bypass due to Improper Access Control
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.8.7
Recommended Action: Update to version 6.8.7, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated Settings Reset via reset-cmb Parameter
Patched Version: 1.0.27.1
Recommended Action: Update to version 1.0.27.1, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2.3
Recommended Action: Update to version 2.7.2.3, or a newer patched version

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2021.18
Recommended Action: Update to version 2021.18, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Missing Authorization via handle_installation
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 4.0.11
Recommended Action: Update to version 4.0.11, or a newer patched version

Plugin: wp-publications

Vulnerability: Local File Inclusion
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WP Product Review Lite

Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: WooCommerce Cart & Floating Cart

Vulnerability: Missing Authorization
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: SMSmaster – Multipurpose SMS Gateway for WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Insert or Embed Articulate Content into WordPress

Vulnerability: Directory Traversal
Patched Version: 4.29991
Recommended Action: Update to version 4.29991, or a newer patched version

Plugin: Redirection

Vulnerability: Missing Authorization in ‘deleteRedirect’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Cross-Site Request Forgery to Settings Modification
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Vulnerability: Cross-Site Request Forgery to Back-Up Deletion
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version

Plugin: Contact Form by Supsystic

Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.25
Recommended Action: Update to version 1.7.25, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version

Plugin: kk Star Ratings – Rate Post & Collect User Feedbacks

Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: 5.4.4
Recommended Action: Update to version 5.4.4, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: HDW WordPress Video Gallery

Vulnerability: Reflected Cross-Site Scripting via channel parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Slider Feed

Vulnerability: Missing Authorization to Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Myflash

Vulnerability: Remote File Inclusion
Patched Version: 1.11
Recommended Action: Update to version 1.11, or a newer patched version

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Sensitive Information Exposure
Patched Version: 4.1.10
Recommended Action: Update to version 4.1.10, or a newer patched version

Plugin: CF7 Google Sheets Connector Pro

Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Account Creation
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Backup, Restore and Migrate your sites with XCloner

Vulnerability: 4.2.12
Patched Version: 4.2.153
Recommended Action: Update to version 4.2.153, or a newer patched version

Plugin: WP Forms Puzzle Captcha

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthorized Account Access and Privilege Escalation
Patched Version: 4.10.8
Recommended Action: Update to version 4.10.8, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_preload_single_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: JetSearch

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2.1
Recommended Action: Update to version 3.1.2.1, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Location Weather – Hourly, Daily Weather Forecast Widget and Weather Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.7.26
Recommended Action: Update to version 2.7.26, or a newer patched version

Plugin: Olevmedia Shortcodes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: Missing Authorization
Patched Version: 1.3.70
Recommended Action: Update to version 1.3.70, or a newer patched version

Plugin: WP Google Tag Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Artillery (MASS EMAIL)

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder
Patched Version: 4.7.8
Recommended Action: Update to version 4.7.8, or a newer patched version

Plugin: Restricted Site Access

Vulnerability: Sandbox Bypass
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.16.2
Recommended Action: Update to version 5.16.2, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated Arbitrary File Download
Patched Version: 4.5.91
Recommended Action: Update to version 4.5.91, or a newer patched version

Plugin: Cool Timeline (Horizontal & Vertical Timeline)

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Contact Us Page – Contact People

Vulnerability: Cross Site Request Forgery
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Yoast Duplicate Post

Vulnerability: SQL Injection
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Contributor+ Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version

Plugin: Booking Calendar – Clockwork SMS

Vulnerability: Clockwork SMS <= 1.0.5
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WPMK Ajax Finder

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 8.3.1
Recommended Action: Update to version 8.3.1, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Authenticated Remote Code Execution
Patched Version: 2.4.22
Recommended Action: Update to version 2.4.22, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Reflected Cross-Site Scripting via ‘question’
Patched Version: 3.3.9.3
Recommended Action: Update to version 3.3.9.3, or a newer patched version

Plugin: Awesome Weather Widget

Vulnerability: Reflected Cross-site Scripting via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: iframe popup

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Time-Based TOTP attack to Sensitive Information Exposure
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.1.2
Recommended Action: Update to version 1.5.1.2, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: wpDiscuz <= 7.3.11 Sensitive Information Disclosure
Patched Version: 7.3.12
Recommended Action: Update to version 7.3.12, or a newer patched version

Plugin: Event Calendar WD version

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.46
Recommended Action: Update to version 1.1.46, or a newer patched version

Plugin: WooCommerce Composite Products

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.7.6
Recommended Action: Update to version 8.7.6, or a newer patched version

Plugin: Accredible Certificates & Open Badges

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cart All In One For WooCommerce

Vulnerability: Cross-Site Request Forgery to Cart Changes
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version

Plugin: MapGeo – Interactive Geo Maps

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: WordPress Easy Custom Js And Css Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Missing Authorization via REST API
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Easy EU Value Added (VAT) Taxes Add-on

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: S3 Video Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 0.98
Recommended Action: Update to version 0.98, or a newer patched version

Plugin: Attendance Manager

Vulnerability: Cross-site Request Forgery
Patched Version: 0.5.7
Recommended Action: Update to version 0.5.7, or a newer patched version

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: SQL Injection
Patched Version: 3.2.6.8
Recommended Action: Update to version 3.2.6.8, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via button_text_link parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: 2kb Amazon Affiliates Store

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wonder PDF Embed

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VK All in One Expansion Unit

Vulnerability: Stored (Contributor+) Cross-Site Scripting in CTA Post
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version

Plugin: Team Showcase

Vulnerability: Object Injection
Patched Version: 1.22.16
Recommended Action: Update to version 1.22.16, or a newer patched version

Plugin: Easy Accordion – Responsive Accordion FAQ Builder and Product FAQ

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Store Locator WordPress

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters
Patched Version: 1.4.10
Recommended Action: Update to version 1.4.10, or a newer patched version

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.51.0
Recommended Action: Update to version 1.51.0, or a newer patched version

Plugin: Email Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: NAB Transact

Vulnerability: Payment System Bypass
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Search Everything

Vulnerability: SQL Injection
Patched Version: 7.0.3
Recommended Action: Update to version 7.0.3, or a newer patched version

Plugin: Phone Orders for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: HTML5 Webcam/Screen/Mic Recorder for Video Comments and Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.55.3
Recommended Action: Update to version 1.55.3, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings
Patched Version: 2.9.35
Recommended Action: Update to version 2.9.35, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Arbitrary File Upload
Patched Version: 8.0.8
Recommended Action: Update to version 8.0.8, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Admin+ SQL Injection
Patched Version: 2.2.13.1
Recommended Action: Update to version 2.2.13.1, or a newer patched version

Plugin: Raygun

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Flagallery-skins

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Private Files – File Upload & Download Manager with Secure File Sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.4.19
Recommended Action: Update to version 2.4.19, or a newer patched version

Plugin: Limit Login Attempts Reloaded

Vulnerability: Missing Authorization
Patched Version: 2.25.26
Recommended Action: Update to version 2.25.26, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: CSV injection via a customer’s profile
Patched Version: 1.16.3.6
Recommended Action: Update to version 1.16.3.6, or a newer patched version

Plugin: Popup Like box – Page Plugin

Vulnerability: SQL Injection
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Easy Testimonial Manager

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quotes llama

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘type’
Patched Version: 1.12.4
Recommended Action: Update to version 1.12.4, or a newer patched version

Plugin: Get Custom Field Values

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Transposh WordPress Translation

Vulnerability: Missing Authorization Checks
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Republish Old Posts

Vulnerability: Cross-Site Request Forgery via rop_options_page
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: Community Events

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Image Slider by NextCode – Photo & Video Slider

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Windows Desktop and iPhone Photo Uploader

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PWGRandom

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Table of Contents Plus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2212
Recommended Action: Update to version 2212, or a newer patched version

Plugin: Import WP – Export and Import CSV and XML files to WordPress

Vulnerability: Authenticated Arbitrary File Upload
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Flexible Elementor Panel

Vulnerability: Cross Site Request Forgery
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Missing Authorization in ‘wpfc_purgecache_varnish_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: WP To Do

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: WooCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: YITH WooCommerce Gift Cards Premium

Vulnerability: Missing Authorization
Patched Version: 3.24.0
Recommended Action: Update to version 3.24.0, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 9.0.16
Recommended Action: Update to version 9.0.16, or a newer patched version

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: Uji Popup

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Authenticated PHP4 Upload
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version

Plugin: SMSA Shipping for WooCommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Widget Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: Authenticated (Admin+) Cross Site Scripting
Patched Version: 1.63.0
Recommended Action: Update to version 1.63.0, or a newer patched version

Plugin: Coming Soon, Under Construction & Maintenance Mode By Dazzler

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Torro Forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BlossomThemes Email Newsletter

Vulnerability: Missing Authorization
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Vision – Interactive Image Map Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Staff / Employee Business Directory for Active Directory

Vulnerability: Authenticated (Admin+) LDAP Passback
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Modification
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: SQL Injection
Patched Version: 1.8.10.2
Recommended Action: Update to version 1.8.10.2, or a newer patched version

Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More

Vulnerability: Authenticated (Author+) Open Redirect
Patched Version: 6.9.19
Recommended Action: Update to version 6.9.19, or a newer patched version

Plugin: Portfolio, Gallery, Product Catalog – Grid KIT Portfolio

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Pinterest RSS Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.27
Recommended Action: Update to version 1.0.27, or a newer patched version

Plugin: Essential Blocks Pro

Vulnerability: Unauthenticated PHP Object Injection via products
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.03
Recommended Action: Update to version 7.1.03, or a newer patched version

Plugin: Insert Pages

Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Fast Flow

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Amministrazione Trasparente

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version

Plugin: Featured Image Pro Post Grid

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 5.15
Recommended Action: Update to version 5.15, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Font Awesome 4 Menus

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables 

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6.1
Recommended Action: Update to version 1.0.6.1, or a newer patched version

Plugin: Eupago Gateway For Woocommerce

Vulnerability: Cross-Site Request Forgery via eupago_page_content
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version

Plugin: WordPress Landing Pages

Vulnerability: Unauthenticated Remote Command Execution
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Core: WordPress

Vulnerability: Username Enumeration via Error Messages
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Food Store – Online Food Delivery & Pickup

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: WP-CopyProtect [Protect your blog posts]

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WordPress Contact Form, Drag and Drop Form Builder Plugin – Live Forms

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: MSync

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Social Icons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Unauthenticated Views Changes
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy2Map

Vulnerability: Directory Traversal and Local File Inclusion
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Advanced Text Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Convert to Blocks

Vulnerability: Prototype Pollution
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 2.8.6
Recommended Action: Update to version 2.8.6, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated Shell Upload
Patched Version: 4.22
Recommended Action: Update to version 4.22, or a newer patched version

Plugin: WebEngage Feedback, Survey and Notification

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Core: WordPress

Vulnerability: PHAR Unserialization
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Translate WordPress – Google Language Translator

Vulnerability: Google Language Translator <= 6.0.11
Patched Version: 6.0.12
Recommended Action: Update to version 6.0.12, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.0.107.3
Recommended Action: Update to version 1.0.107.3, or a newer patched version

Plugin: Form Builder | Create Responsive Contact Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Brizy – Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Element URL
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: CP Reservation Calendar

Vulnerability: SQL Injection
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: YouTube Embed

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Captcha!

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Customize Login Image

Vulnerability: Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Admin+ SQL Injection
Patched Version: 17.0.5
Recommended Action: Update to version 17.0.5, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Enable/Disable Auto Login when Register

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tussendoor – Open RDW

Vulnerability: Reflected Cross-Site Scripting via open_data_rdw_kenteken
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WPBakery Page Builder for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Core: WordPress

Vulnerability: No subtitle
Patched Version: 4.1.39
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.39, 4.2.36, 4.3.32, 4.4.31, 4.5.30, 4.6.27, 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: DeepL API translation plugin

Vulnerability: Cross-Site Request Forgery via saveSettings
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: HTML2WP

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CBX Map for Google Map & OpenStreetMap

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Banner Effect Header

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Website Contact Form With File Upload

Vulnerability: Arbitrary File Upload
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Sensitive Information Exposure
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 2.4.12
Recommended Action: Update to version 2.4.12, or a newer patched version

Plugin: AgentEasy Properties

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 7.5.13
Recommended Action: Update to version 7.5.13, or a newer patched version

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Subscriber+ SQL Injection
Patched Version: 8.2
Recommended Action: Update to version 8.2, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.2.92
Recommended Action: Update to version 1.2.92, or a newer patched version

Plugin: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WordPress Renaming Tool by Vlajo

Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Button

Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version

Plugin: Timed Popup WordPress Plugin

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Annual Archive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MailUp newsletter sign-up form

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Core: WordPress MU

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Vision – Interactive Image Map Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Vulnerability: Stored Cross-Site Scripting via Content Element ID
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version

Plugin: Booster for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: wpDataTables (Premium)

Vulnerability: Improper Access Control leading to Table Data Deletion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Melapress File Monitor

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9.11
Recommended Action: Update to version 2.0.9.11, or a newer patched version

Plugin: RokIntroScroller

Vulnerability: Arbitrary File Upload
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: WP Upload Restriction

Vulnerability: Missing Authorization Checks
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Database Peek

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: acf-frontend-display

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Administrator Z

Vulnerability: Unauthorized File Upload via ACF
Patched Version: 2022.9.29
Recommended Action: Update to version 2022.9.29, or a newer patched version

Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back

Vulnerability: Cross-Site Request Forgery via cbb_submit_settings_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Total Donations

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Event Registration Calendar By vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Open Redirect
Patched Version: 3.7.2.4
Recommended Action: Update to version 3.7.2.4, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Reflected Cross-Site Scripting via Referer
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 7.3.5
Recommended Action: Update to version 7.3.5, or a newer patched version

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Authenticated (Admin+) Directory Traversal to Arbitrary File Deletion
Patched Version: 0.9.1.7
Recommended Action: Update to version 0.9.1.7, or a newer patched version

Plugin: gAppointments – Appointment booking addon for Gravity Forms

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: MP3-jPlayer

Vulnerability: Full Path Disclosure
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Custom 404 Pro

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout

Vulnerability: Stored (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.1.15
Recommended Action: Update to version 1.5.1.15, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: I Recommend This

Vulnerability: SQL Injection
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: SQL Injection
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Insecure Direct Object Reference
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: Nextend Social Login and Register

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Database Backup for WordPress

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: GD Star Rating

Vulnerability: Blind SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Search Exclude

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Zendesk Support for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Forget About Shortcode Buttons

Vulnerability: Missing Authorization via fasc_buttons
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Tainacan

Vulnerability: Cross-Site Scripting
Patched Version: 0.18.10
Recommended Action: Update to version 0.18.10, or a newer patched version

Plugin: Five Minute Webshop

Vulnerability: Authenticated (Admin+) SQL Injection via orderby
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_option_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Core: WordPress

Vulnerability: Cache Poisoning
Patched Version: 3.7.31
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.31, 3.8.31, 3.9.29, 4.0.28, 4.1.28, 4.2.25, 4.3.21, 4.4.20, 4.5.19, 4.6.16, 4.7.15, 4.8.11, 4.9.12, 5.0.7, 5.1.3, 5.2.4

Plugin: Media Library Assistant

Vulnerability: Remote Code Execution via tax_query, meta_query, date_query Parameters
Patched Version: 2.82
Recommended Action: Update to version 2.82, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Goods Catalog

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HDW WordPress Video Gallery

Vulnerability: Reflected Cross-Site Scripting via playlist parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation
Patched Version: 13.1.2
Recommended Action: Update to version 13.1.2, or a newer patched version

Plugin: SMS Alert Order Notifications – WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Quttera Web Malware Scanner

Vulnerability: Sensitive Data Exposure
Patched Version: 3.4.2.1
Recommended Action: Update to version 3.4.2.1, or a newer patched version

Plugin: Userback

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: WP Contact Slider – Slide Out Contact Form for WordPress to display Contact Form 7, Gravity Forms, WP Forms, Ninja Forms, plain text/HTML & other shortcodes

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: 001 Prime Strategy Translate Accelerator

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Manager

Vulnerability: Missing Authorization to Arbitrary Popup Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Activity Reactions For Buddypress

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: SQL Injection
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Simple CSV/XLS Exporter

Vulnerability: CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Hidden Login Bypass
Patched Version: 7.9.1
Recommended Action: Update to version 7.9.1, or a newer patched version

Plugin: Rich Table of Contents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Code Snippets Extended

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Content Repeater – Custom Posts Simplified

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Widget
Patched Version: 1.8.19
Recommended Action: Update to version 1.8.19, or a newer patched version

Plugin: JetWidgets For Elementor

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: MagicForm

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Symposium

Vulnerability: Blind SQL Injection
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Custom Role Creation/Deletion
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version

Plugin: wpShopGermany – Protected Shops

Vulnerability: Protected Shops <= 2.0
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: 1.9.11
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Flowplayer Video Player

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: WordPress Poll

Vulnerability: SQL Injection
Patched Version: 34.06
Recommended Action: Update to version 34.06, or a newer patched version

Plugin: Universal Star Rating

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WTI Like Post

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: CM Download Manager – Document and File Management

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.185.1
Recommended Action: Update to version 5.185.1, or a newer patched version

Plugin: iQ Block Country

Vulnerability: Admin+ Arbitrary File Deletion via Zip Slip
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: TagGator

Vulnerability: SQL Injection
Patched Version: 1.33
Recommended Action: Update to version 1.33, or a newer patched version

Plugin: WP Cumulus

Vulnerability: Sensitive Information Exposure
Patched Version: 1.23
Recommended Action: Update to version 1.23, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.7
Recommended Action: Update to version 5.2.7, or a newer patched version

Plugin: Twitter Cards Meta – Best Twitter Card Plugin for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: Adapta RGPD

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Cross-Site Scripting
Patched Version: 8.0.08
Recommended Action: Update to version 8.0.08, or a newer patched version

Plugin: Church Admin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: wpShopGermany IT-RECHT KANZLEI

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP Favorite Posts

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Missing Authorization
Patched Version: 2.10.6
Recommended Action: Update to version 2.10.6, or a newer patched version

Core: WordPress

Vulnerability: Missing Authorization
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: WordPress Responsive Preview

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated Open Redirect
Patched Version: 3.3.19.1
Recommended Action: Update to version 3.3.19.1, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via import
Patched Version: 3.6.11
Recommended Action: Update to version 3.6.11, or a newer patched version

Plugin: Transposh WordPress Translation

Vulnerability: Unauthorized Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: cformsII

Vulnerability: Arbitrary File Upload
Patched Version: 14.8
Recommended Action: Update to version 14.8, or a newer patched version

Plugin: WDSocialWidgets

Vulnerability: SQL Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Banner Management For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: simpleflickr

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RokStories

Vulnerability: Full Path Disclosure
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: WP BaiDu Submit

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gallery PhotoBlocks

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Authenticated Stored Cross-Site Scripting via Title & Description
Patched Version: 9.8.0
Recommended Action: Update to version 9.8.0, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.11.1
Recommended Action: Update to version 2.7.11.1, or a newer patched version

Plugin: BackUpWordPress

Vulnerability: Remote File Inclusion
Patched Version: 0.4.3
Recommended Action: Update to version 0.4.3, or a newer patched version

Plugin: Simple Quotation

Vulnerability: SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 301 Redirects – Easy Redirect Manager

Vulnerability: Easy Redirect Manager <= 2.72
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version

Plugin: Testimonial WordPress Plugin – AP Custom Testimonial

Vulnerability: SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: WPPizza – A Restaurant Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.17.2
Recommended Action: Update to version 3.17.2, or a newer patched version

Plugin: Crayon Syntax Highlighter

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: WP Maintenance Mode & Site Under Construction

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: MainWP Maintenance Extension

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Like Button Rating ♥ LikeBtn

Vulnerability: Arbitrary Settings Change
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: WP Brutal AI

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version

Plugin: wp-live-chat-support-pro

Vulnerability: Arbitrary File Upload
Patched Version: 8.0.27
Recommended Action: Update to version 8.0.27, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version

Plugin: Push Notification for Post and BuddyPress

Vulnerability: Missing Authorization to Unauthenticated Admin Notice Dismissal
Patched Version: 1.64
Recommended Action: Update to version 1.64, or a newer patched version

Plugin: HTML5 SoundCloud Player with Playlist Free

Vulnerability: Authenticated (Author+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Missing Authorization to Vote Tampering
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘pages’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Protect WP Admin

Vulnerability: Unauthenticated Plugin Deactivation
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Responsive Photo Gallery <= 1.7.0
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: WP People

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Field Template

Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Coupon Tab for DirectoryPress (pp-coupon-tab)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hubbub Lite – Fast, Reliable Social Sharing Buttons

Vulnerability: Missing Authorization via multiple admin_init actions
Patched Version: 1.30.1
Recommended Action: Update to version 1.30.1, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Missing Authorization to Arbitrary User Deletion
Patched Version: 3.8.1.3
Recommended Action: Update to version 3.8.1.3, or a newer patched version

Plugin: new-year-firework

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via accessibility-helper Title
Patched Version: 3.7.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.10, 3.8.10, 3.9.8, 4.0.7, 4.1.7, 4.2.4

Plugin: Login with TOTP (Google Authenticator, Microsoft Authenticator)

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Admin+) Cross Site Scripting (XSS)
Patched Version: 1.5.49
Recommended Action: Update to version 1.5.49, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Slick Contact Forms

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: spider-calendar

Vulnerability: Multiple Vulnerabilities
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.41
Recommended Action: Update to one of the following versions, or a newer patched version: 3.2.41, 3.2.5

Plugin: Dashicons + Custom Post Types

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WP LESS to CSS

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Register Plus

Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form 7 Database Addon – CFDB7

Vulnerability: SQL Injection
Patched Version: 1.2.5.4
Recommended Action: Update to version 1.2.5.4, or a newer patched version

Plugin: Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Securimage-WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Donation Plugin <= 2.33.0
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Cross-Site Request Forgery via AJAX action
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet

Vulnerability: Paid Author Subscriptions, Content, Downloads, Membership <= 1.9.5
Patched Version: 1.9.6
Recommended Action: Update to version 1.9.6, or a newer patched version

Plugin: Geo Controller

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.12
Recommended Action: Update to version 7.13.12, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Cross-Site Scripting via tribe_paged Parameter
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 4.6.0.1
Recommended Action: Update to version 4.6.0.1, or a newer patched version

Plugin: Elements For Elementor

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: DiveBook

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fancy Product Designer

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.7.6
Recommended Action: Update to version 4.7.6, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: SQL Injection
Patched Version: 7.3.19.727
Recommended Action: Update to version 7.3.19.727, or a newer patched version

Plugin: Events

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

Vulnerability: Sensitive Information Exposure
Patched Version: 20.5.4
Recommended Action: Update to version 20.5.4, or a newer patched version

Plugin: Football Pool

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: GetResponse for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.5.21
Recommended Action: Update to version 5.5.21, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.19.2
Recommended Action: Update to version 4.19.2, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: Ultimate Appointment Booking & Scheduling

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.10
Recommended Action: Update to version 1.1.10, or a newer patched version

Plugin: Contact Form Builder by vcita

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version

Plugin: Gravity Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Ubigeo de Perú para Woocommerce y WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Classified Listing – Classified ads & Business Directory Plugin

Vulnerability: Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Multiple SQL Injection
Patched Version: 1.5.16
Recommended Action: Update to version 1.5.16, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.94
Recommended Action: Update to version 3.3.94, or a newer patched version

Plugin: Advance Search for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: aBitGone CommentSafe

Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: WP Private Content Plus

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: BuddyPress Builder for Elementor – BuddyBuilder

Vulnerability: BuddyPress Builder for Elementor <= 1.7.3
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: LIQUID SPEECH BALLOON

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Custom Sidebars – Dynamic Sidebar Widget Area Manager

Vulnerability: Reflected Cross Site Scripting
Patched Version: 2.1.0.2
Recommended Action: Update to version 2.1.0.2, or a newer patched version

Plugin: Social Sharing Plugin – Sassy Social Share

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.45
Recommended Action: Update to version 3.3.45, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.51
Recommended Action: Update to version 1.6.51, or a newer patched version

Plugin: Creative Mail – Easier WordPress & WooCommerce Email Marketing

Vulnerability: Cross-Site Request Forgery to Plugin Deactivation
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Custom Post Type Generator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subpages Extended

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Analytics Insights – Google Analytics Dashboard for WordPress

Vulnerability: Open Redirect
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Meks Easy Photo Feed Widget

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Tune Library

Vulnerability: SQL Injection
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Schema – All In One Schema Rich Snippets

Vulnerability: All In One Schema Rich Snippets <= 1.6.5
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Network Settings Page
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Delete Usermetas

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Featured Comments

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: SEO Plugin LiveOptim

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: File Upload Path Traversal
Patched Version: 1.5.75
Recommended Action: Update to version 1.5.75, or a newer patched version

Plugin: Super Store Finder

Vulnerability: Arbitrary File Upload
Patched Version: 6.2
Recommended Action: Update to version 6.2, or a newer patched version

Plugin: Real Testimonials – Testimonial Slider, Carousel, Grid | Collect Customer Reviews and Video Testimonial with Testimonial Form | Social Proof Reviews and Review Slider

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Price Table

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Custom Settings

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Security Question

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Vulnerability: Server-Side Request Forgery
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields
Patched Version: 2.45.1
Recommended Action: Update to version 2.45.1, or a newer patched version

Plugin: Brandfolder – Digital Asset Management Simplified.

Vulnerability: Local/Remote File Inclusion
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: AB Google Map Travel (AB-MAP)

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Portfolio Responsive Gallery

Vulnerability: Blind SQL Injection
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Add Local Avatar

Vulnerability: Cross-Site Request Forgery via manage_avatar_cache
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Authenticated Privilege Escalation
Patched Version: 4.6.0.4
Recommended Action: Update to version 4.6.0.4, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization Checks
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Forym

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit

Vulnerability: Missing Authorization
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Custom Searchable Data Entry System

Vulnerability: Unauthenticated Database Wiping
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GoHero Store Customizer for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Getnet Argentina para WooCommerce

Vulnerability: 0.0.4
Patched Version: 0.0.5
Recommended Action: Update to version 0.0.5, or a newer patched version

Plugin: Captchinoo, admin login page protection with Google recaptcha

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Missing Capabilities Check
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Admin Account and Ticket Creation
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: WordPress to Freshsales Integration

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.2.3
Recommended Action: Update to version 1.3.2.3, or a newer patched version

Plugin: HTML5 Responsive FAQ

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary Page Modification
Patched Version: 3.7.18
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.18, 3.8.18, 3.9.16, 4.0.15, 4.1.15, 4.2.12, 4.3.8, 4.4.7, 4.5.6, 4.6.3, 4.7.2

Plugin: Material Design Icons for Page Builders

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery to Transient Cache Clearing
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version

Plugin: External Links in New Window / New Tab

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.7.4
Recommended Action: Update to version 4.7.4, or a newer patched version

Plugin: Export All URLs

Vulnerability: Arbitrary File Deletion
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Kraken.io Image Optimizer

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.8.1
Recommended Action: Update to version 3.2.8.1, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.9.6
Recommended Action: Update to version 5.9.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authorization Bypass
Patched Version: 2.9.6
Recommended Action: Update to version 2.9.6, or a newer patched version

Plugin: WPFrom Email

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version

Plugin: Csv2WPeC Coupon

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CardGate Payments for WooCommerce

Vulnerability: Lack of Origin Validation
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: Schedulicity – Easy Online Scheduling

Vulnerability: Easy Online Scheduling <= 2.21
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: History Collection

Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1

Plugin: WP Customer Reviews

Vulnerability: Authenticated (Subscriber+) Sensitive Information Exposure
Patched Version: 3.6.7
Recommended Action: Update to version 3.6.7, or a newer patched version

Plugin: WHMCS Bridge

Vulnerability: No subtitle
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: CP Image Store with Slideshow

Vulnerability: Arbitrary File Download
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.7
Recommended Action: Update to version 6.2.7, or a newer patched version

Plugin: Mailtree Log Mail

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: yurl-retwitt

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Post URL

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TablePress – Tables in WordPress made easy

Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: DoLogin Security

Vulnerability: Missing Authorization on Dashboard Widget
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: Contact Form 7 Captcha

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.2
Recommended Action: Update to version 0.1.2, or a newer patched version

Plugin: IP Blacklist Cloud

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Frontier Post

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: WP Roadmap – Product Feedback Board

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Inline Related Posts

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Fancy Comments WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: SVG Support

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Enhanced Text Widget

Vulnerability: Missing Authorization via etw_hide_admin_notification_callback
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file
Patched Version: 4.9.1
Recommended Action: Update to one of the following versions, or a newer patched version: 4.9.1, 4.9.3

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: CSV Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.9
Recommended Action: Update to version 0.3.9, or a newer patched version

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: No subtitle
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: Social Media Widget by Acurax

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Astra Bulk Edit

Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Peadig's Twitter Feed: Embedded Timeline WordPress Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GD bbPress Attachments

Vulnerability: Directory Traversal
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Nimble Page Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Local File Inclusion
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.56
Recommended Action: Update to version 0.9.56, or a newer patched version

Plugin: Fancy Gallery – WordPress plugin | Galleries

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: LOGIN AND REGISTRATION ATTEMPTS LIMIT

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slideshow

Vulnerability: Cross-Site Scripting and Sensitive Information Disclosure
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version

Plugin: Chatbot with IBM watsonx Assistant

Vulnerability: Cross-Site Scripting
Patched Version: 0.8.21
Recommended Action: Update to version 0.8.21, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Server-Side Request Forgery
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Really Simple Guest Post

Vulnerability: Local File Inclusion
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Super Store Finder

Vulnerability: SQL Injection
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2021.9
Recommended Action: Update to version 2021.9, or a newer patched version

Plugin: WordPress Countdown Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version

Plugin: WPCHURCH – Church Management System for WordPress

Vulnerability: Church Management System for WordPress Theme < 13-07-2019
Patched Version: 13-07-2019
Recommended Action: Update to version 13-07-2019, or a newer patched version

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: 0.9.1
Recommended Action: Update to version 0.9.1, or a newer patched version

Plugin: Auto Rename Media On Upload

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Arbitrary Booking Update and Sensitive Data Exposure
Patched Version: 1.0.49
Recommended Action: Update to version 1.0.49, or a newer patched version

Plugin: VS Contact Form

Vulnerability: Captcha Bypass
Patched Version: 11.6
Recommended Action: Update to version 11.6, or a newer patched version

Plugin: Update Image Tag Alt Attribute

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: CSV Injection
Patched Version: 1.3.35
Recommended Action: Update to version 1.3.35, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
Patched Version: 3.4.34
Recommended Action: Update to version 3.4.34, or a newer patched version

Plugin: XEN Carousel

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Email Users

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.3
Recommended Action: Update to version 4.8.3, or a newer patched version

Plugin: FormCraft – Form Builder

Vulnerability: Missing Authorization via formcraft_nag_update
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Portfolio Gallery – Image Gallery Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Twimp WP

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loan Comparison

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP fancybox

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Follow Me Plugin

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Visual CSS Style Editor

Vulnerability: Reflected Cross-Site Scripting via wyp_page_type parameter
Patched Version: 7.5.4
Recommended Action: Update to version 7.5.4, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Arbitrary File Upload
Patched Version: 7.0.2
Recommended Action: Update to version 7.0.2, or a newer patched version

Plugin: JetBlocks for Elementor

Vulnerability: Reflected Cross Site Scripting
Patched Version: 1.3.8.1
Recommended Action: Update to version 1.3.8.1, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_save_state
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: WP Accessibility Helper (WAH)

Vulnerability: Reflected Cross-Site Scripting via wahi
Patched Version: 0.6.0.7
Recommended Action: Update to version 0.6.0.7, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.10
Recommended Action: Update to version 2.5.10, or a newer patched version

Plugin: Accessibility

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Team Circle Image Slider With Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Google Maps made Simple

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Steveas WP Live Chat Shoutbox

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘uucss_update_rule’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Perfect Survey

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Create Block Theme

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WP Offload SES Lite

Vulnerability: Interpretation Conflict
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools

Vulnerability: Missing Authorization
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Opal Estate

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Powerplay Gallery

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Coupon Affiliates – Affiliate Plugin for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.11.3.4
Recommended Action: Update to version 4.11.3.4, or a newer patched version

Plugin: Extra Block Design, Style, CSS for ANY Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.7
Recommended Action: Update to version 0.2.7, or a newer patched version

Plugin: Parsian Bank Gateway for Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.22.3
Recommended Action: Update to version 1.22.3, or a newer patched version

Plugin: AmpedSense – AdSense Split Tester

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Feedweb

Vulnerability: Missing Authorization
Patched Version: 3.0.11
Recommended Action: Update to version 3.0.11, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via plupload.flash.swf
Patched Version: 3.7.14
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.14, 3.8.14, 3.9.12, 4.0.11, 4.1.11, 4.2.8, 4.3.4, 4.4.3, 4.5.2

Plugin: Welcart e-Commerce

Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 2.9.7
Recommended Action: Update to version 2.9.7, or a newer patched version

Plugin: Affiliate Power – Sales Tracking for Affiliate Marketers

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Content Mask

Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 1.8.4.1
Recommended Action: Update to version 1.8.4.1, or a newer patched version

Plugin: ConvertPlus

Vulnerability: Unauthenticated Administrator Creation
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Stream

Vulnerability: Admin+ SQL Injection
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: Radio Buttons for Taxonomies

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more

Vulnerability: Authenticator (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Portfolio Slideshow

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Custom Post Type and Taxonomy GUI Manager

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Visual Composer Website Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Title’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version

Plugin: Accordion

Vulnerability: Unprotected AJAX Action to Stored/Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: PICA Photo Gallery

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Embed Privacy

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Core: WordPress MU

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.5a
Recommended Action: Update to version 1.2.5a, or a newer patched version

Plugin: WordPress Simple HTML Sitemap

Vulnerability: Reflected Cross-Site Scripting via id
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to version 3.7.6, or a newer patched version

Plugin: Advanced Booking Calendar

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: Accept Stripe Donation and Payments – AidWP

Vulnerability: Cross Site Request Forgery
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Broadcast Live Video <= 5.5.15
Patched Version: 5.5.16
Recommended Action: Update to version 5.5.16, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Reflected Cross-Site-Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Web Invoice – Invoicing and billing for WordPress

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Invitation Based Registrations

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery via handleSubmitAction function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Grou Random Image Widget

Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Profile & Dashboard fields [Modify/Disable/Remove]

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.04
Recommended Action: Update to version 1.04, or a newer patched version

Plugin: WooCommerce Anti-Fraud

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Image News Slider

Vulnerability: Unspecified Vulnerability
Patched Version: 3.3
Recommended Action: Update to version 3.3, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Cross-Site Request Forgery via handle_optin_optout()
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Cross-Site Request Forgery to Record Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import and export users and customers

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.19.2.1
Recommended Action: Update to version 1.19.2.1, or a newer patched version

Plugin: Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress

Vulnerability: Authorization Bypass
Patched Version: 3.83
Recommended Action: Update to version 3.83, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated Arbitrary File Read
Patched Version: 0.9.71
Recommended Action: Update to version 0.9.71, or a newer patched version

Plugin: WooCommerce EAN Payment Gateway

Vulnerability: Missing Authorization to Authenticated (Contributor+) EAN Update
Patched Version: 6.1.0
Recommended Action: Update to version 6.1.0, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: SQL Injection
Patched Version: 2.05.03
Recommended Action: Update to version 2.05.03, or a newer patched version

Core: WordPress

Vulnerability: Improper Authorization to Information Disclosure
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_add_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Media Library Categories

Vulnerability: Unauthenticated Multiple Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Flipbook by Supsystic

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: Automated Editor

Vulnerability: Cross-Site Request Forgery via admin menu pages
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Original Media Path

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: WP Custom Cursors | WordPress Cursor Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Wp Cookie Choice

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: which template file

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.0
Recommended Action: Update to version 4.9.0, or a newer patched version

Plugin: Easy Newsletter Signups

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Batch Cat

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: iPages Flipbook For WordPress

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.15.4
Recommended Action: Update to version 1.15.4, or a newer patched version

Plugin: 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件

Vulnerability: Missing Authorization
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Popup Box (Developer) – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: 7.9.0) and Developer (20.0.0
Patched Version: 20.9.0
Recommended Action: Update to version 20.9.0, or a newer patched version

Plugin: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping

Vulnerability: Cross-Site Request Forgery via enableDisable and deletePost
Patched Version: 1.6.4.6
Recommended Action: Update to version 1.6.4.6, or a newer patched version

Plugin: Advanced Custom Fields: Image Crop Add-on

Vulnerability: Improper Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Arigato Autoresponder and Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.1.9
Recommended Action: Update to version 2.5.1.9, or a newer patched version

Plugin: Read More Excerpt Link

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Beebee Mini

Vulnerability: Unauthorized File Upload via ACF
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.1
Recommended Action: Update to version 4.2.1, or a newer patched version

Plugin: Link Library

Vulnerability: Missing Authorization Checks
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: WP FullCalendar

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Force First and Last Name as Display Name

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Authenticated (Subscriber+) Arbitrary Client Deletion (wo_ajax_remove_client)
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Comment Reply Notification

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Open Graph and Twitter Card Tags

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.4.1
Recommended Action: Update to version 2.2.4.1, or a newer patched version

Plugin: WP Background Takeover

Vulnerability: Directory Traversal
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Easy Preloader

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Songbook

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Authenticated SQL Injection
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: Shortlink by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Admin Management Xtended

Vulnerability: Cross-Site Request Forgery to Post Status Update
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Shortcode Redirect

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.02
Recommended Action: Update to version 1.0.02, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: WP Symposium

Vulnerability: Cross-Site Scripting
Patched Version: 13.04
Recommended Action: Update to version 13.04, or a newer patched version

Plugin: Mingle Forum

Vulnerability: SQL Injection
Patched Version: 1.0.34
Recommended Action: Update to version 1.0.34, or a newer patched version

Plugin: User Email Verification for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.0.7.2
Recommended Action: Update to version 3.0.7.2, or a newer patched version

Plugin: Nelio AB Testing

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.6.4
Recommended Action: Update to version 4.6.4, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: SQL Injection
Patched Version: 4.2.23
Recommended Action: Update to version 4.2.23, or a newer patched version

Plugin: HandL UTM Grabber / Tracker

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Simple Membership

Vulnerability: Membership Privilege Escalation
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Voting Record

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tiger Forms – Drag and Drop Form Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 13.0.6
Recommended Action: Update to version 13.0.6, or a newer patched version

Plugin: History Log by click5

Vulnerability: Authenticated(Administrator+) Time-Based Blind SQL Injection
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 5.2.6
Recommended Action: Update to version 5.2.6, or a newer patched version

Plugin: WP-FormAssembly

Vulnerability: Limited Server Side Request Forgery via ‘formassembly’ shortcode
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Easy Newsletter Signups

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: StoryChief

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: WooCommerce Product Filter <= 1.3.7
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.06
Recommended Action: Update to version 2.06, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Multiple SQL Injections
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP PDF Generator

Vulnerability: Cross-Site Request Forgery to PDF Settings Update
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Privilege Escalation
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Ripe HD FLV

Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs

Vulnerability: Cross Site Request Forgery
Patched Version: 2.1.15
Recommended Action: Update to version 2.1.15, or a newer patched version

Plugin: Code Snippets

Vulnerability: Cross-Site Request Forgery via load
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Image horizontal reel scroll slideshow

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 13.4
Recommended Action: Update to version 13.4, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Export any WordPress data to XML/CSV

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Woo MerchantX

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Booking Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Search in Place

Vulnerability: Missing Authorization to Feedback Submission
Patched Version: 1.0.105
Recommended Action: Update to version 1.0.105, or a newer patched version

Plugin: Oi Yandex.Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smooth Page Scroll Up/Down Buttons

Vulnerability: Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Missing Authorization to Arbitrary File Upload
Patched Version: 3.0.96
Recommended Action: Update to version 3.0.96, or a newer patched version

Plugin: SAHU TikTok Pixel for E-Commerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wp-championship

Vulnerability: SQL Injection
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: WP YouTube Lyte

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.7.16
Recommended Action: Update to version 1.7.16, or a newer patched version

Plugin: Send PDF for Contact Form 7

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: WPS Limit Login

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version

Plugin: Page Builder by SiteOrigin

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 2.10.16
Recommended Action: Update to version 2.10.16, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Missing Authorization via ‘start_staging’ and ‘get_staging_progress’
Patched Version: 0.9.91
Recommended Action: Update to version 0.9.91, or a newer patched version

Plugin: Global Content Blocks

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Missing Authorization
Patched Version: 2.5.4.4
Recommended Action: Update to version 2.5.4.4, or a newer patched version

Plugin: Photo Gallery by Supsystic

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.15.6
Recommended Action: Update to version 1.15.6, or a newer patched version

Plugin: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.29.1
Recommended Action: Update to version 3.29.1, or a newer patched version

Plugin: Easy Digital Downloads – Per Product Emails

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Waiting: One-click countdowns

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Portfolio and Projects

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Redirection

Vulnerability: Cross-Site Request Forgery via ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization via ajax_unassign_folders
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Simple Backup

Vulnerability: Arbitrary File Download via Path Traversal
Patched Version: 2.7.11
Recommended Action: Update to version 2.7.11, or a newer patched version

Plugin: Houzez Login Register

Vulnerability: Privilege Escalation
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WP Crowdfunding

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Klaviyo

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.10
Recommended Action: Update to version 3.0.10, or a newer patched version

Plugin: Pay with Vipps and MobilePay for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version

Plugin: Real-Time Find and Replace

Vulnerability: Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: Simple Page Ordering

Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Trustprofile and reviews for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.25
Recommended Action: Update to version 3.25, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Update License
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Image News Slider

Vulnerability: Arbitrary File Upload
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Contact Form 7 Style

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: PHP Object Injection
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.11.1
Recommended Action: Update to version 5.11.1, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Constant Contact Forms

Vulnerability: Information Disclosure via Log Files
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Shortcodes Finder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Eventr

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Link Whisper Free

Vulnerability: Missing Authorization via init()
Patched Version: 0.6.4
Recommended Action: Update to version 0.6.4, or a newer patched version

Plugin: CRM: Contact Management Simplified – UkuuPeople

Vulnerability: Cross-Site Request Forgery to Favorite Addition/Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Marketing Performance

Vulnerability: Unauthenticated Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘startProcess’ to Arbitrary Redirect via ‘update_link_redirect’ task
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: Bg Bible References

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Yoo Slider – Image Slider & Video Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Email download link

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 7.1
Recommended Action: Update to version 7.1, or a newer patched version

Plugin: Analytics Cat – Google Analytics Made Easy

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Maintenance Mode by Supsystic

Vulnerability: Cross Site Request Forgery
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version

Plugin: RESPONSIVE 3D SLIDER

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown
Patched Version: 2.25.2
Recommended Action: Update to version 2.25.2, or a newer patched version

Plugin: JSmol2WP

Vulnerability: Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Analyticator

Vulnerability: Cross-Site Scripting
Patched Version: 5.2.1
Recommended Action: Update to version 5.2.1, or a newer patched version

Plugin: Product List / Grid View for Woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Author Box

Vulnerability: Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version

Plugin: Simple 301 Redirects By BetterLinks – Easy Redirect Manager for WP, 404 Error Log & More

Vulnerability: 2.0.3
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: One Click SSL

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Order Notification for WooCommerce – Get Audio Alert on new Orders

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Interactive Medical Drawing of Human Body

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version

Plugin: Portfolio Gallery – Responsive Image Gallery

Vulnerability: Missing Authorization to Arbitrary Gallery Deletion
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: Remove CPT base

Vulnerability: Cross-Site Request Forgery to CPT base deletion
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: We’re Open!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version

Plugin: WPJAM Basic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.2.1.1
Recommended Action: Update to version 6.2.1.1, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Student+) SQL Injection
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: SEO Smart Links

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 9.4.3.1
Recommended Action: Update to version 9.4.3.1, or a newer patched version

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.0
Recommended Action: Update to version 4.5.0, or a newer patched version

Plugin: WP Cerber Security, Anti-spam & Malware Scan

Vulnerability: User Enumeration Bypass via REST API
Patched Version: 9.3.3
Recommended Action: Update to version 9.3.3, or a newer patched version

Plugin: WP Food Manager – Restaurant Menu & Online Food Ordering for WooCommerce – Food Delivery & Pickup – Table Reservation

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: wp2syslog

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NOTICE BOARD

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Crontrol

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: WP Symposium

Vulnerability: Cross-Site Scripting
Patched Version: 11.12.08
Recommended Action: Update to version 11.12.08, or a newer patched version

Plugin: Post State Tags

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clockwork SMS Notfications

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Wise Chat

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Alojapro Booking Engine

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.16
Recommended Action: Update to version 1.1.16, or a newer patched version

Core: WordPress

Vulnerability: Privilege Escalation
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: BA Plus – Before & After Image Slider FREE

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version

Plugin: PixTypes

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.15
Recommended Action: Update to version 1.4.15, or a newer patched version

Plugin: Process Steps Template Designer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Membership For WooCommerce – SIMPLE MEMBERSHIP PLANS, RECURRING REVENUE, USER PROFILES & SIGNUPS, CONTENT RESTRICTIONS, AND MEMBER LEVELS WITH WOOCOMMERCE MEMBERSHIP

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Checkout with Zelle on Woocommerce

Vulnerability: Missing Authorization
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Core: WordPress

Vulnerability: SQL Injection
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Leaky Paywall

Vulnerability: No subtitle
Patched Version: 4.16.6
Recommended Action: Update to version 4.16.6, or a newer patched version

Plugin: Ajax Search Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Stock Manager for WooCommerce

Vulnerability: Authorization Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Simple Telegram

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Embed PDF

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Security Optimizer – The All-In-One Protection Plugin

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Appointments Scheduler

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Arbitrary File Upload
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: Foliopress WYSIWYG

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.16
Recommended Action: Update to version 2.6.16, or a newer patched version

Plugin: Post Comments as bbPress Topics

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version

Plugin: Theme Switcha – Easily Switch Themes for Development and Testing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Podcast Importer SecondLine

Vulnerability: SQL Injection
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: My WP Translate

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Bootstrap Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPML

Vulnerability: Reflected Cross-Site Scripting via wp_lang
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: bbPress Move Topics

Vulnerability: PHP Object Injection
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Rise Blocks – A Complete Gutenberg Page Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: GuruWalk Affiliates

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Missing Authorization
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version

Plugin: Blogroll Fun – Show Last Post and Last Update Time

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.5
Recommended Action: Update to version 0.8.5, or a newer patched version

Core: WordPress

Vulnerability: Information Disclosure
Patched Version: 3.7.17
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1

Plugin: WP Meteor Website Speed Optimization Addon

Vulnerability: No subtitle
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version

Plugin: Simple Security

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: WooCommerce Bookings

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.15.79
Recommended Action: Update to version 1.15.79, or a newer patched version

Plugin: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.0.11
Recommended Action: Update to version 1.7.0.11, or a newer patched version

Plugin: Orange Form

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP LINE Notify

Vulnerability: Reflected Cross-Site Scripting via ‘uid’
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Unauthenticted Stored Cross-Site Scripting via ‘nl_data’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.5.8
Recommended Action: Update to version 3.5.5.8, or a newer patched version

Plugin: YITH WooCommerce Gift Cards Premium

Vulnerability: Arbitrary File Upload
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in multiple functions in admin/controller.php
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Eonet Manual User Approve

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Preview Link Generator

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Sensitive Data Exposure
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version

Plugin: WassUp Real Time Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Transbank Webpay

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 1.6.7
Recommended Action: Update to version 1.6.7, or a newer patched version

Plugin: Announce from the Dashboard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Donations

Vulnerability: Unauthenticated Arbitrary Options Change
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Cross-Site Request Forgery leading to attachment deletion & Path Traversal
Patched Version: 1.14.2.2
Recommended Action: Update to version 1.14.2.2, or a newer patched version

Plugin: WP-PostRatings

Vulnerability: SQL Injection
Patched Version: 1.62
Recommended Action: Update to version 1.62, or a newer patched version

Plugin: Page View Count

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: WP-chgFontSize

Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Pricing Table

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.8
Recommended Action: Update to version 5.1.8, or a newer patched version

Plugin: Bonus for Woo

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.3
Recommended Action: Update to version 5.8.3, or a newer patched version

Plugin: multi-plugin-installer

Vulnerability: Arbitrary File Read
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: MapifyLite (by MapifyPro)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Redux Framework

Vulnerability: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Patched Version: 4.2.13
Recommended Action: Update to version 4.2.13, or a newer patched version

Plugin: Blog Floating Button

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version

Plugin: Grab & Save

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Add Edit Delete Listing Module

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Order address Print

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Comments Ratings

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: SpiderVPlayer

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Countdown Widget

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.1.9.2
Recommended Action: Update to version 3.1.9.2, or a newer patched version

Plugin: ImageInject

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.16
Recommended Action: Update to version 1.16, or a newer patched version

Plugin: IP2Location Country Blocker

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.26.9
Recommended Action: Update to version 2.26.9, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Media Uploads
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Yellow Swordfish Simple Forum

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RB Internal Links

Vulnerability: Cross-Site Request Forgery to Settings update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPGraphQL

Vulnerability: Unauthenticated Comment Creation
Patched Version: 0.3.0
Recommended Action: Update to version 0.3.0, or a newer patched version

Plugin: Post Status Notifier Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10.1
Recommended Action: Update to version 1.10.1, or a newer patched version

Plugin: Request a Quote

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Testimonial – WordPress Testimonial Showcase Plugin Grid Plus Testimonial Slider

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery to Stripe Integration Deletion
Patched Version: 2.33.4
Recommended Action: Update to version 2.33.4, or a newer patched version

Plugin: Chronoforms

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Cross-Site Request Forgery to Arbitrary Options Update
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Slider Factory – Responsive Photo Slider, Image Slider, Video Slider, Carousel Slideshow

Vulnerability: Missing Authorization
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: WHOIS

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Login History

Vulnerability: SQL Injection via Order By
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: WP Social Sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Timeline Calendar

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Database Administrator

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Event Registration

Vulnerability: PHP Object Injection
Patched Version: 6.03.01
Recommended Action: Update to version 6.03.01, or a newer patched version

Plugin: vodpod-video-gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OAuth Client by DigitialPixies

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: SQL Injection
Patched Version: 2.53
Recommended Action: Update to version 2.53, or a newer patched version

Plugin: InPost Gallery

Vulnerability: Local File Inclusion
Patched Version: 2.1.4.1
Recommended Action: Update to version 2.1.4.1, or a newer patched version

Plugin: Note Press

Vulnerability: Authenticated (Admin+) SQL Injection via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Cross-Site Scripting
Patched Version: 4.52
Recommended Action: Update to version 4.52, or a newer patched version

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Subscriber+ SQL Injection
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.18.5
Recommended Action: Update to version 1.18.5, or a newer patched version

Plugin: WP Intercom – Slack for WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: E-Search

Vulnerability: Reflected Cross-Site Scripting via title_az parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Privilege Escalation
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 6.15.15.3
Recommended Action: Update to version 6.15.15.3, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Missing Authorization in ‘clear_page_cache’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Branded Social Images – Open Graph Images with logo and extra text layer

Vulnerability: Missing Authorization leading to Unauthenticated Plugin Settings Updates
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: cforms

Vulnerability: Cross-Site Scripting
Patched Version: 10.2
Recommended Action: Update to version 10.2, or a newer patched version

Plugin: Random image gallery with pretty photo zoom

Vulnerability: DOM Cross-Site Scripting
Patched Version: 7.5
Recommended Action: Update to version 7.5, or a newer patched version

Plugin: WP eCommerce Shop Styling

Vulnerability: Directory Traversal
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: SendPress Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Manager

Vulnerability: Authenticated File Upload
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: NewStatPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Remote Code Execution
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: Feed Them Social – Social Media Feeds, Video, and Photo Galleries

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version

Plugin: Image Metadata Cruncher

Vulnerability: Reflected Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.99
Recommended Action: Update to version 0.99, or a newer patched version

Plugin: Ultimate Product Catalog

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Reflected Cross-Site Scripting via section_id
Patched Version: 5.2.4.2
Recommended Action: Update to version 5.2.4.2, or a newer patched version

Plugin: WordPress Poll

Vulnerability: SQL Injection
Patched Version: 34.06
Recommended Action: Update to version 34.06, or a newer patched version

Core: WordPress

Vulnerability: Media Related Security Issue
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: WP Responsive Menu

Vulnerability: Missing Authorization to Settings Update & Stored Cross-Site Scripting
Patched Version: 3.1.7.1
Recommended Action: Update to version 3.1.7.1, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Missing Authorization to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WordPress Shout Box Widget

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP eCommerce

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.8.7.2
Recommended Action: Update to version 3.8.7.2, or a newer patched version

Plugin: Headless CMS

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All Users Messenger

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: IP Address Spoofing
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: PDF Invoices & Packing Slips for WooCommerce

Vulnerability: Cross Site Request Forgery
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: WP Jump Menu

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pricing Table by Supsystic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: AntiVirus

Vulnerability: Full Path Disclosure
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WP YouTube Live

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.22
Recommended Action: Update to version 1.7.22, or a newer patched version

Plugin: The Buffer Button

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Email

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.38
Recommended Action: Update to version 1.3.38, or a newer patched version

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.22
Recommended Action: Update to version 5.22, or a newer patched version

Plugin: WCFM Marketplace – Multivendor Marketplace for WooCommerce

Vulnerability: WooCommerce Multivendor Marketplace <= 3.4.11
Patched Version: 3.4.12
Recommended Action: Update to version 3.4.12, or a newer patched version

Plugin: Better Font Awesome

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: Adaptive Images for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.6.69
Recommended Action: Update to version 0.6.69, or a newer patched version

Plugin: Dialogs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Validation Bypass via Email Field
Patched Version: 3.4.27.1
Recommended Action: Update to version 3.4.27.1, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.16
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.16, 3.8.16, 3.9.14, 4.0.13, 4.1.13, 4.2.10, 4.3.6, 4.4.5, 4.5.4, 4.6.1

Plugin: Support Board

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Comment Guestbook

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Dokan – Powerful WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Vulnerability: Authenticated (Vendor+) Stored Cross-Site Scripting
Patched Version: 3.6.4
Recommended Action: Update to version 3.6.4, or a newer patched version

Plugin: Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: SpiderCalendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.65
Recommended Action: Update to version 1.6.65, or a newer patched version

Plugin: Local Weather

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LWS Tools

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: WPBakery Page Builder Clipboard

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.5.6
Recommended Action: Update to version 4.5.6, or a newer patched version

Plugin: miwoftp

Vulnerability: Arbitrary File Download
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Plugin Names
Patched Version: 3.7.22
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.22, 3.8.22, 3.9.20, 4.0.19, 4.1.19, 4.2.16, 4.3.12, 4.4.11, 4.5.10, 4.6.7, 4.7.6, 4.8.2

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.7.7
Recommended Action: Update to version 6.7.7, or a newer patched version

Plugin: FormCraft

Vulnerability: Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Charts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FormBuilder

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wp-Insert

Vulnerability: Arbitrary File Upload
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Slider Hero with Video Background, Animation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.4.4
Recommended Action: Update to version 8.4.4, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.35
Recommended Action: Update to version 1.5.35, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Missing Authorization via CR_Manual
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version

Plugin: SearchWP Live Ajax Search

Vulnerability: Directory Traversal and Local File Inclusion
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Shared Files – Frontend File Upload Form & Secure File Sharing

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.57
Recommended Action: Update to version 1.6.57, or a newer patched version

Plugin: Sermon Browser

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Server-Side Request Forgery
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.12.1
Recommended Action: Update to version 8.12.1, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Authorization Bypass
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Privilege Escalation via updraft_central_ajax_handler
Patched Version: 1.23.3
Recommended Action: Update to one of the following versions, or a newer patched version: 1.23.3, 2.23.3

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.2.9
Recommended Action: Update to version 7.2.9, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: No subtitle
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version

Plugin: Posts to Page

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Read and Understood

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Contact Bank – Contact Form Builder for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.226
Recommended Action: Update to version 2.0.226, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 4.1.8
Recommended Action: Update to version 4.1.8, or a newer patched version

Plugin: Shoppable Images

Vulnerability: Cross Site Request Forgery
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: WP Remote Users Sync

Vulnerability: Authenticated (Subscriber+) Server Side Request Forgery
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Flexi – Guest Submit

Vulnerability: Guest Submit < 4.20
Patched Version: 4.20
Recommended Action: Update to version 4.20, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via ‘notice’ parameter
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: WP Remote Users Sync

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log View
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Ultimate Reviews

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.0.16
Recommended Action: Update to version 3.0.16, or a newer patched version

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more

Vulnerability: SQL Injection
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: Improved user search in backend

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Bootstrap Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Discussion Board – WordPress Forum Plugin

Vulnerability: Authenticated (Subscriber+) Content Injection
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: VigilanTor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Plugin: HTML5 MP3 Player with Playlist Free

Vulnerability: Authenticated (Author+) PHP Object Injecton
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Vulnerability: Insecure Direct Object Reference to Order Manipulation
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Timely Booking Button

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.9.44
Recommended Action: Update to version 2.9.44, or a newer patched version

Plugin: Event Tickets with Ticket Scanner

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Autolinks Manager – SEO Auto Linker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.05
Recommended Action: Update to version 1.10.05, or a newer patched version

Plugin: WooCommerce

Vulnerability: Unauthorized Order Status Change
Patched Version: 3.5.10
Recommended Action: Update to one of the following versions, or a newer patched version: 3.5.10, 3.6.7, 3.7.3, 3.8.3, 3.9.5, 4.0.4, 4.1.4, 4.2.5, 4.3.6, 4.4.4, 4.5.5, 4.6.5, 4.7.4, 4.8.3, 4.9.5, 5.0.3, 5.1.3, 5.2.5, 5.3.3, 5.4.4, 5.5.4, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.1

Plugin: WooCommerce

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access via Shortcode
Patched Version: 5.12.8
Recommended Action: Update to version 5.12.8, or a newer patched version

Plugin: Redirection for Contact Form 7

Vulnerability: Authenticated Arbitrary Plugin Installation
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Memphis Documents Library

Vulnerability: Local File Inclusion
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Vulnerability: Unprotected AJAX Actions
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Vulnerability: Missing Authorization on ‘load_hcaptcha_preview’ AJAX function
Patched Version: 1.23.3
Recommended Action: Update to version 1.23.3, or a newer patched version

Plugin: Code Embed

Vulnerability: Authenticated(Contributor+) Denial of Service
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: Curtain

Vulnerability: Unauthenticated Maintenance Mode Enabled/Disable
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Waiting: One-click countdowns

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Webcam Video Conference

Vulnerability: Unrestricted File Upload leading to Remote Code Execuction
Patched Version: 4.91.9
Recommended Action: Update to version 4.91.9, or a newer patched version

Plugin: Post Connector

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Page Builder with Image Map by AZEXO

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Activity Log

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Core: WordPress

Vulnerability: Information Disclosure (Multi-Part Email Leak)
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Sign-up Sheets

Vulnerability: Authenticated CSV Injection
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Mobile Address Bar Changer

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cost Calculator

Vulnerability: Authenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AdRotate Banner Manager – The only ad manager you'll need

Vulnerability: Authenticated Stored Cross-Site Scripting via Advert Names
Patched Version: 5.8.23
Recommended Action: Update to version 5.8.23, or a newer patched version

Plugin: Peter’s Random Anti-Spam Image

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Blog Grid & Post Grid – Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry, Category Post Grid By News & Blog Designer Pack

Vulnerability: Unauthenticated Remote Code Execution via Local File Inclusion
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Chat Button & Custom ChatGPT-Powered Bot by GetButton.io

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.8.10
Recommended Action: Update to version 1.8.10, or a newer patched version

Plugin: DX-auto-save-images

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Web Instant Messenger

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kento Post View Counter

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Forms Puzzle Captcha

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Inactive User Deleter

Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 1.60
Recommended Action: Update to version 1.60, or a newer patched version

Plugin: Social Sharing Plugin – Kiwi

Vulnerability: Arbitrary Options Update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Accept Stripe Payments

Vulnerability: Unauthenticated Content Injection
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version

Plugin: WassUp Real Time Analytics

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3.1
Recommended Action: Update to version 1.8.3.1, or a newer patched version

Plugin: YOP Poll

Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module
Patched Version: 6.3.1
Recommended Action: Update to version 6.3.1, or a newer patched version

Plugin: cformsII

Vulnerability: Authenticated SQL Injection
Patched Version: 14.13
Recommended Action: Update to version 14.13, or a newer patched version

Plugin: WooCommerce Bulk Stock Management

Vulnerability: Cross-Site Scripting
Patched Version: 2.2.34
Recommended Action: Update to version 2.2.34, or a newer patched version

Plugin: Google Map Shortcode

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: PHAR Deserialization
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Affiliate Ads for Clickbank Products

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Saan World Clock

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.21
Recommended Action: Update to version 4.3.21, or a newer patched version

Plugin: Simple Share Buttons Adder

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: WP Simple Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.8.5
Recommended Action: Update to version 2.0.8.5, or a newer patched version

Plugin: wp tell a friend popup form

Vulnerability: Cross-Site Request Forgery via ‘TellAFriend_admin’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Checkout Files Upload for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Slideshow

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GI-Media Library

Vulnerability: Directory Traversal
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WP Table Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Constant Contact Forms by MailMunch

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authentication Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Logo Slider

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Uninstall

Vulnerability: Cross-Site Request Forgery to Site Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.11
Recommended Action: Update to version 4.1.11, or a newer patched version

Plugin: Simply Exclude

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Easy GA4 – Google Analytics WordPress Plugin

Vulnerability: Cross-Site Request Forgery via plugin_activation
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WordPress Poll

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: Get your number

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fotomoto

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ResponsiveVoice Text To Speech

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Unauthenticated Arbitrary Settings Update
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: WP Super Cache

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: PDF File Browser

Vulnerability: Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Armour – Honeypot Anti Spam

Vulnerability: No subtitle
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: PowerPack Pro for Elementor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.24
Recommended Action: Update to version 2.9.24, or a newer patched version

Plugin: Ricerca – advanced search

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Zephyr Project Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: copy-me

Vulnerability: Missing Authorization & Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Cross-Site Request Forgery via save_campaign_preview
Patched Version: 3.1.19
Recommended Action: Update to version 3.1.19, or a newer patched version

Plugin: SearchIQ – The Search Solution

Vulnerability: Missing Authorization via getSIQPluginSettings
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Dave's WordPress Live Search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Plugin Deactivation and Deletion Errors
Patched Version: 3.7.39
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2

Plugin: WordPress Comments Import & Export

Vulnerability: CSV Injection
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Admin+ Cross-Site Scripting
Patched Version: 2.11.6
Recommended Action: Update to version 2.11.6, or a newer patched version

Plugin: 1app Business Forms

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Wp-Pro-Quiz

Vulnerability: Arbitrary Quiz Deletion via Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EasyRotator for WordPress – Slider Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Verified Reviews (Avis Vérifiés)

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.15
Recommended Action: Update to version 2.3.15, or a newer patched version

Plugin: Login by Auth0

Vulnerability: CSV Injection
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery Filesystem Credential Update
Patched Version: 3.7.21
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Plugin: MainWP Article Uploader Extension

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: QueryWall: Plug'n Play Firewall

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Photo Gallery

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Download Monitor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: Vertical scroll recent post

Vulnerability: Cross-Site Request Forgery via vsrp_admin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Image Regenerate & Select Crop

Vulnerability: Sensitive Information Exposure
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: Leaflet Map

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Sp*tify Play Button for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.08
Recommended Action: Update to version 2.08, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Finalist

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: WPC Smart Wishlist for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Jobs for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.5.11
Recommended Action: Update to version 2.5.11, or a newer patched version

Plugin: Testimonial Slider Shortcode

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Instant CSS

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Plugmatter Optin Feature Box

Vulnerability: SQL Injection
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version

Plugin: WP-ViperGB

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.11
Recommended Action: Update to version 1.3.11, or a newer patched version

Plugin: Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.0.4
Recommended Action: Update to version 7.0.4, or a newer patched version

Plugin: Gallery from files

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Count per Day

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: Pretty Link Lite

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Bitcoin / Altcoin Faucet

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: TinyMCE Custom Styles

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via option_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: WP Image Zoom

Vulnerability: Cross-Site Request Forgery to Denial of Service
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version

Plugin: Hermit 音乐播放器

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Polls CP

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: WP-CRM – Customer Relations Management for WordPress

Vulnerability: CSV injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.9
Recommended Action: Update to version 5.9, or a newer patched version

Plugin: Clone

Vulnerability: Cross-Site Request Forgery via wp_ajax_tifm_save_decision
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Multiple Cross-Site Scripting Issues
Patched Version: 1.5.46
Recommended Action: Update to version 1.5.46, or a newer patched version

Plugin: LWS Tools

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Database Collation Fix

Vulnerability: Cross-Site Request Forgery via admin_page
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: BuddyPress

Vulnerability: Insufficient Privilege De-escalation
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: salient-core

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: eRoom – Zoom Meetings & Webinars

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: SQL Injection
Patched Version: 13.1.0.6
Recommended Action: Update to version 13.1.0.6, or a newer patched version

Plugin: Social Sharing Toolkit

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Art Direction

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mail Bank – #1 Mail SMTP Plugin for WordPress

Vulnerability: #1 Mail SMTP Plugin for WordPress <= 4.0.14
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version

Plugin: JobCareer | Job Board Responsive WordPress Theme

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Personal Dictionary – Vocabulary Games, Memory Games

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WPForms Pro

Vulnerability: 1.8.5.3
Patched Version: 1.8.5.4
Recommended Action: Update to version 1.8.5.4, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: SQL Injection
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: flowpaper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Mobile App Builder by WapPress

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.64
Recommended Action: Update to version 1.9.64, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Authenticated (Author+) Privilege Escalation
Patched Version: 3.6.6
Recommended Action: Update to version 3.6.6, or a newer patched version

Plugin: ImageMapper

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Job Board

Vulnerability: Local File Inclusion
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: Custom Dashboard Widgets

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting via cdw_DashboardWidgets
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kraken.io Image Optimizer

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.9.90
Recommended Action: Update to version 0.9.90, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery via ‘display_results’
Patched Version: 8.1.16
Recommended Action: Update to version 8.1.16, or a newer patched version

Plugin: ExportFeed: List WooCommerce Products on eBay Store

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ocean Extra

Vulnerability: Authenticated (Subscriber+) Arbitrary Post Access
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Basic Interactive World Map

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: Web en Mantenimiento

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Welcart e-Commerce

Vulnerability: Object Injection
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Smart SEO Tool – SEO优化插件

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Yoast Duplicate Post

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: WP DSGVO Tools (GDPR)

Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched Version: 3.1.24
Recommended Action: Update to version 3.1.24, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: PDF24 Article To PDF

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SportsPress – Sports Club & League Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.9
Recommended Action: Update to version 2.7.9, or a newer patched version

Plugin: 微信群发助手-Wechat Broadcast

Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ImageRecycle pdf & image compression

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version

Plugin: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps

Vulnerability: Sensitive Information Exposure
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via Caption
Patched Version: 2.5.5.3
Recommended Action: Update to version 2.5.5.3, or a newer patched version

Plugin: Auto Excerpt everywhere

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Unyson

Vulnerability: Cross-Site Scripting
Patched Version: 2.7.27
Recommended Action: Update to version 2.7.27, or a newer patched version

Plugin: Multi-column Tag Map

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 17.0.25
Recommended Action: Update to version 17.0.25, or a newer patched version

Plugin: Essential Grid Portfolio – Photo Gallery

Vulnerability: Missing Authorization
Patched Version: 3.0.19
Recommended Action: Update to version 3.0.19, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: DW Question Answer Pro

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Authorization Bypass
Patched Version: 6.2.4
Recommended Action: Update to version 6.2.4, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version

Plugin: Logo Carousel – Responsive Logo Slider, Logo Showcase, and Clients Logo Gallery

Vulnerability: Unauthorised Private Post Access
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Simple Sticky Footer

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Delete Old Orders

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Modern Events Calendar Lite

Vulnerability: Subscriber+ Category Add Leading to Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Advanced Ads – Ad Manager & AdSense

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.17.4
Recommended Action: Update to version 1.17.4, or a newer patched version

Plugin: Media File Renamer: Rename for better SEO (AI-Powered)

Vulnerability: Authenticated(Administrator+) Remote Code Execution
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version

Plugin: Multiple Roles

Vulnerability: Privilege Escalation
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: SEO Slider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WordPress Live Chat Plugin for Elementor – LiveChat

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.14
Recommended Action: Update to version 1.0.14, or a newer patched version

Plugin: Easy Custom Auto Excerpt

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: Insecure Backup/Logfile Generation
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: FourSquare Checkins

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: SiteBuilder Dynamic Components

Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photospace Gallery

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPshop 2 – E-Commerce

Vulnerability: Arbitrary File Upload
Patched Version: 1.3.9.6
Recommended Action: Update to version 1.3.9.6, or a newer patched version

Plugin: Quiz Expert – Easy Quiz Maker, Exam and Test Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Download Monitor

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.3.9
Recommended Action: Update to version 3.3.9, or a newer patched version

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.1
Recommended Action: Update to version 5.5.1, or a newer patched version

Plugin: WP CSV Exporter

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: xili-tidy-tags

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.04
Recommended Action: Update to version 1.12.04, or a newer patched version

Plugin: MyCurator Content Curation

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.75
Recommended Action: Update to version 3.75, or a newer patched version

Plugin: Visitor Traffic Real Time Statistics

Vulnerability: Missing Authorization to Arbitrary Plugin Installation/Activation
Patched Version: 2.12
Recommended Action: Update to version 2.12, or a newer patched version

Plugin: WordPress WP-Advanced-Search

Vulnerability: SQL Injection
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: Check & Log Email – Easy Email Testing & Mail logging

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.5.2
Recommended Action: Update to version 0.5.2, or a newer patched version

Plugin: YOP Poll

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: Download Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.54
Recommended Action: Update to version 3.2.54, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Insecure Direct Object Reference
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version

Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.86
Recommended Action: Update to version 1.0.86, or a newer patched version

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.25
Recommended Action: Update to version 3.3.25, or a newer patched version

Plugin: WP Job Openings – Job Listing, Career Page and Recruitment Plugin

Vulnerability: Information Exposure
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.354
Recommended Action: Update to version 1.0.354, or a newer patched version

Plugin: Easy Testimonials

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9
Recommended Action: Update to version 3.9, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.39
Recommended Action: Update to version 3.39, or a newer patched version

Plugin: Table Rate Shipping Method for WooCommerce by Flexible Shipping

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.11.9
Recommended Action: Update to version 4.11.9, or a newer patched version

Plugin: Simple Login Log

Vulnerability: SQL Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Acunetix WP Security

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Find and Replace All

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Video Conferencing with Zoom

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Blog Designer

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.12
Recommended Action: Update to version 1.8.12, or a newer patched version

Plugin: eBecas

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated (Author+) Cross-Site Scripting via File Uploads
Patched Version: 3.7.33
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Plugin: Announcement & Notification Banner – Bulletin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.5.3
Recommended Action: Update to version 3.5.3, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.3.5
Recommended Action: Update to version 4.3.5, or a newer patched version

Plugin: eShop

Vulnerability: Cross-Site Forgery Request and Reflected Cross-Site Scripting
Patched Version: 6.3.14
Recommended Action: Update to version 6.3.14, or a newer patched version

Plugin: EDD Favorites

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: amerisale-re

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Encrypted Blog

Vulnerability: Open Redirect
Patched Version: 0.0.6.6
Recommended Action: Update to version 0.0.6.6, or a newer patched version

Plugin: Featured Post Creative

Vulnerability: Cross-Site Request Forgery via wpfp_update_featured_post
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: My Tickets – Accessible Event Ticketing

Vulnerability: Authorization Bypass
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version

Plugin: bbPress Voting

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.11.1
Recommended Action: Update to version 2.1.11.1, or a newer patched version

Plugin: Mega Addons For WPBakery Page Builder

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Thumbnail Slider With Lightbox

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version

Plugin: WP Vault

Vulnerability: Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Animated Counters

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg

Vulnerability: Missing Authorization to Settings Update
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: Mark Posts

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Human Presence – Stop Form Spam Without ReCaptcha

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Core: WordPress

Vulnerability: Cryptographic Weakness
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Stout Google Calendar

Vulnerability: Cross-Site Request Forgery via sgc_plugin_options
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Affiliates Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Amazonify

Vulnerability: Cross-Site Request Forgery to Amazon Tracking ID Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YOP Poll

Vulnerability: Reusable Captcha via validateImage
Patched Version: 6.5.29
Recommended Action: Update to version 6.5.29, or a newer patched version

Plugin: WCP Contact Form

Vulnerability: Reflected Cross-Site Scripting via tab parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: API info for Plugins & Themes from WP.ORG

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version

Plugin: Anti-Malware Security and Brute-Force Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.15.23
Recommended Action: Update to version 4.15.23, or a newer patched version

Plugin: S3bubble Amazon S3 Media Streaming

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SrbTransLatin – Serbian Latinisation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.47
Recommended Action: Update to version 1.47, or a newer patched version

Plugin: Predictive Search

Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Hover Image

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Missing Authorization Checks
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Forms

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.12.3
Recommended Action: Update to version 1.12.3, or a newer patched version

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: SQL Injection
Patched Version: 1.14.6.1
Recommended Action: Update to version 1.14.6.1, or a newer patched version

Plugin: Helpful

Vulnerability: Authorization Bypass to Repeat Voting
Patched Version: 4.5.15
Recommended Action: Update to version 4.5.15, or a newer patched version

Plugin: Clean Login

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Information Disclosure via updraft_ajaxrestore
Patched Version: 1.23.1
Recommended Action: Update to version 1.23.1, or a newer patched version

Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Vulnerability: Unauthenticated Arbitrary File Upload via uploadFile
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Font Organizer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Vulnerability: Missing Authorization
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version

Plugin: WordPress Checkout

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Exploit Scanner

Vulnerability: Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooSidebars Sidebar Manager Converter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Stetic

Vulnerability: No subtitle
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: WordPress Calls to Action

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: bird-feeder

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Authenticated (Subscriber+) Local File Inclusion via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Community by PeepSo – Download from PeepSo.com

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 6.1.0.0
Recommended Action: Update to version 6.1.0.0, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Missing Authorization to Plugin Settings Reset
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Admin Custom Login

Vulnerability: No subtitle
Patched Version: 3.2.8
Recommended Action: Update to version 3.2.8, or a newer patched version

Plugin: Easy Digital Downloads – Recount Earnings

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GEO Redirector

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization to Sensitive Information Disclosure
Patched Version: 2.6.71
Recommended Action: Update to version 2.6.71, or a newer patched version

Plugin: Appointment Calendar

Vulnerability: Multiple Reflected Cross-Site Scripting
Patched Version: 2.7.5
Recommended Action: Update to version 2.7.5, or a newer patched version

Plugin: Debug Meta Data

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Client Reports

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: URL Shortener by MyThemeShop

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Quick Post Duplicator

Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Images

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Customer Reviews for WooCommerce

Vulnerability: Sensitive Data Exposure
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Oxygen

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4
Recommended Action: Update to version 4.4, or a newer patched version

Plugin: Statify – Extended Evaluation

Vulnerability: Authenticated (Admin+) CSV Injection
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WPlite

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Request a Quote

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: Shortcode for Current Date

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Rating by BestWebSoft

Vulnerability: Rating Denial of Service
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Smart Marketing SMS and Newsletters Forms

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.8.1
Recommended Action: Update to version 1.4.8.1, or a newer patched version

Plugin: Jetpack – WP Security, Backup, Speed, & Growth

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Captcha Bypass
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Paytm Payment Gateway

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Albo Pretorio On line

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Super Cache

Vulnerability: Cross Site Scripting
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Team Member – Multi Language Supported Team Plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: Unyson

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: teachPress

Vulnerability: Cross-Site Request Forgery via delete_database()
Patched Version: 9.0.6
Recommended Action: Update to version 9.0.6, or a newer patched version

Plugin: Mesmerize Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.135
Recommended Action: Update to version 1.6.135, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary User Password Reset
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Modula Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Cooked Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.5.6
Recommended Action: Update to version 1.7.5.6, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 11.19
Recommended Action: Update to version 11.19, or a newer patched version

Plugin: spideranalyse

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Q and A

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: iPanorama 360 – Advanced Virtual Tour Builder

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Smooth Slider

Vulnerability: Authenticated SQL Injection
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Smooth Slider

Vulnerability: Authenticated SQL Injection
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: MainWP Post Plus Extension

Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: WP Ultimate Email Marketer

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YITH Maintenance Mode

Vulnerability: Multiple Authenticated Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: EasyRecipe

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Modula Image Gallery

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 2.6.91
Recommended Action: Update to version 2.6.91, or a newer patched version

Plugin: Under Construction / Maintenance Mode from Acurax

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Comments – wpDiscuz

Vulnerability: Authenticated(Author+) Insecure Direct Object Reference
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: Icons for Features

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1.3
Recommended Action: Update to version 1.5.1.3, or a newer patched version

Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 2.9.3
Recommended Action: Update to version 2.9.3, or a newer patched version

Plugin: H5P CSS Editor

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Avada (Fusion) Builder

Vulnerability: Missing Authorization
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: GTM Server Side

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.0.27
Recommended Action: Update to version 8.0.27, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Reflected Cross-Site Scripting via ‘wpforo_debug’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: wordpress-gallery-transformation

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ivory Search – WordPress Search Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.30.4
Recommended Action: Update to version 5.30.4, or a newer patched version

Plugin: Rename wp-login.php

Vulnerability: Cross-Site Request Forgery & Unauthenticated Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pixabay Images

Vulnerability: Directory Traversal
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: My Agile Privacy – The only GDPR solution for WP that you can truly trust

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Sensitive Data Exposure
Patched Version: 1.10.6
Recommended Action: Update to version 1.10.6, or a newer patched version

Plugin: CP Blocks

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version

Plugin: Social Count Plus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Easy Media Gallery Pro

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Authenticated(level_5+) SQL Injection via get_logs
Patched Version: 2.8.22
Recommended Action: Update to version 2.8.22, or a newer patched version

Plugin: CallRail Phone Call Tracking

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.5.3
Recommended Action: Update to version 0.5.3, or a newer patched version

Plugin: reCaptcha by BestWebSoft

Vulnerability: CAPTCHA Bypass
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Optin Forms – Simple List Building Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 5.11
Recommended Action: Update to version 5.11, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Author Bio Box

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: SupportCandy – Helpdesk & Customer Support Ticket System

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization via ajax_delete_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: All In One Redirection

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: YOP Poll

Vulnerability: Race Condition to Vote Manipulation
Patched Version: 6.5.27
Recommended Action: Update to version 6.5.27, or a newer patched version

Plugin: WP Attachments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Traffic Manager

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Leadster

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Insert Special Characters

Vulnerability: Prototype Pollution
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Cross-Site Request Forgery to File Upload
Patched Version: 21.3
Recommended Action: Update to version 21.3, or a newer patched version

Plugin: cformsII

Vulnerability: SQL Injection
Patched Version: 14.6.10
Recommended Action: Update to version 14.6.10, or a newer patched version

Plugin: External Links – nofollow, noopener & new window

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.81
Recommended Action: Update to version 1.81, or a newer patched version

Plugin: WP Debugging

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.11.8
Recommended Action: Update to version 2.11.8, or a newer patched version

Plugin: Age Gate

Vulnerability: Cross-Site Scripting via Data Import
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version

Plugin: WP Inventory Manager

Vulnerability: Reflected Cross-Site Scripting via ‘message’
Patched Version: 2.1.0.12
Recommended Action: Update to version 2.1.0.12, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 9.4.1
Recommended Action: Update to version 9.4.1, or a newer patched version

Plugin: Ultimate Addons for Contact Form 7

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Unauthenticated PHP Object Injection via Cookies
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: Contact Form Manager

Vulnerability: Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Product page shipping calculator for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: 1.3.26
Recommended Action: Update to version 1.3.26, or a newer patched version

Plugin: ActivityPub

Vulnerability: Missing Authorization
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: WordPress RokBox

Vulnerability: Content Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: My YouTube Channel

Vulnerability: Cross-Site Request Forgery to Cache Deletion
Patched Version: 3.23.4
Recommended Action: Update to version 3.23.4, or a newer patched version

Plugin: IdeaPush

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 8.53
Recommended Action: Update to version 8.53, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Lana Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Point Rewards, Referral Points, Reward for Points, User Badges, and Gamification

Vulnerability: Cross-Site Request Forgery to Settings Change
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Master Elements

Vulnerability: Unauthenticated SQL injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Open Redirect
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WooCommerce Product Table Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Cross-Site Scripting
Patched Version: 4.29.5
Recommended Action: Update to version 4.29.5, or a newer patched version

Plugin: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: ShiftNav – Responsive Mobile Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Post Views Count (Support caching plugins!)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Responsive Image Gallery <= 4.4.3
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: MainWP Code Snippets Extension

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Simple Blog Card

Vulnerability: Sensitive Information Exposure
Patched Version: 1.32
Recommended Action: Update to version 1.32, or a newer patched version

Plugin: ANAC XML Bandi di Gara

Vulnerability: Cross-Site Request Forgery via settings.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DVS Custom Notification

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Author+ Stored Cross-Site Scripting
Patched Version: 5.7.8
Recommended Action: Update to version 5.7.8, or a newer patched version

Plugin: WSM Downloader

Vulnerability: Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solidres – Hotel booking plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar

Vulnerability: SQL Injection
Patched Version: 2.3.12
Recommended Action: Update to version 2.3.12, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.5.13
Recommended Action: Update to version 1.5.13, or a newer patched version

Core: WordPress

Vulnerability: Privilege Escalation via XML-RPC
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: Watu Quiz

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.8.2
Recommended Action: Update to version 3.3.8.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Securimage-WP

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tidio Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WHA Puzzle

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP htpasswd

Vulnerability: Authenticated (Admin+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Share Buttons by Supsystic

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Email Newsletter

Vulnerability: Sensitive Information Disclosure
Patched Version: 9.0
Recommended Action: Update to version 9.0, or a newer patched version

Plugin: iframe

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘iframe’ Shortcode
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.8.5
Recommended Action: Update to version 4.8.5, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Insufficient Authorization to Unauthorized Post Deletion
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Fast Flow

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WP Insurance – WordPress Insurance Service Plugin

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Plugin Activation
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Reflected Cross-Site Scripting via ‘td_video_url’
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: WP Total Hacks

Vulnerability: Authenticated (Subscriber+) Plugin Options Update to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YITH WooCommerce Wishlist

Vulnerability: SQL Injection
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: WP Content Pilot – Autoblogging & Affiliate Marketing Plugin

Vulnerability: Authenticated (Contributor+) Content Injection
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: 2.8.3
Recommended Action: Update to version 2.8.3, or a newer patched version

Plugin: WP RSS By Publishers

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: SQL Injection
Patched Version: 0.5.16
Recommended Action: Update to version 0.5.16, or a newer patched version

Plugin: WP Flipclock

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Rate My Post – Star Rating Plugin by FeedbackWP

Vulnerability: Race Condition
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: Stock Manager for WooCommerce

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Ninja Job Board – Ultimate WordPress Job Board Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Caldera Forms – More Than Contact Forms

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Workscout Core

Vulnerability: Job Board WordPress Theme <= 2.0.31
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Rearrange Woocommerce Products

Vulnerability: Subscriber+ SQL Injection
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: WP Maintenance Mode & Site Under Construction

Vulnerability: Improper Authorization
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: GigPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.28
Recommended Action: Update to version 2.3.28, or a newer patched version

Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu

Vulnerability: Missing Authorization
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version

Plugin: Admin Bar & Dashboard Access Control

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Owl Carousel

Vulnerability: Missing Authorization via save_paramter.php
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Media File Manager

Vulnerability: Directory Traversal to Arbitrary File Read
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Contextual Related Posts

Vulnerability: Missing Authorization in crp_ajax_clearcache
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: OpenHook

Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Error Log Viewer by BestWebSoft

Vulnerability: Arbitrary File Deletion
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: IP Blacklist Cloud

Vulnerability: SQL Injections
Patched Version: 3.41
Recommended Action: Update to version 3.41, or a newer patched version

Plugin: Product Stock Manager

Vulnerability: Missing Authorization and Cross-Site Request Forgery
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Checkout Field Manager (Checkout Manager) for WooCommerce

Vulnerability: Unauthenticated Arbitrary Media Deletion
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Easy Google Analytics for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Official Integration for Billingo

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 4.68
Recommended Action: Update to version 4.68, or a newer patched version

Plugin: Simple Job Board

Vulnerability: No subtitle
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version

Plugin: BA Book Everything

Vulnerability: Cross-Site Scripting and Cross-Frame Scripting
Patched Version: 1.3.25
Recommended Action: Update to version 1.3.25, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title_size
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: WP Live.php

Vulnerability: Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WP Default Feature Image

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: mb.miniAudioPlayer – an HTML5 audio player for your mp3 files

Vulnerability: Multiple Vulnerabilities
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Login with phone number

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Plausible Analytics

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Blog Manager Light

Vulnerability: Cross-Site Request Forgery via bml_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Automatic Domain Changer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard

Vulnerability: Cross-Site Request Forgery via white_label_reset_wl_admins
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: WatchTowerHQ

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 3.6.16
Recommended Action: Update to version 3.6.16, or a newer patched version

Plugin: Analytics for Woo – Putler Accurate Analytics and Reports for your WooCommerce Store

Vulnerability: Missing Authorization via ‘send_resync_request’
Patched Version: 2.13.0
Recommended Action: Update to version 2.13.0, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Authenticated (Seo Manager+) Stored Cross-Site Scripting
Patched Version: 21.1
Recommended Action: Update to version 21.1, or a newer patched version

Plugin: surveys

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in saveconfig function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: RokNewsPager

Vulnerability: Denial of Service
Patched Version: 1.18
Recommended Action: Update to version 1.18, or a newer patched version

Plugin: SS Downloads

Vulnerability: Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features

Vulnerability: Arbitrary File Upload
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Easy PayPal Events

Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Booking Package

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: OTP Login Woocommerce (Login with OTP)

Vulnerability: Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Missing Authorization
Patched Version: 4.2.3.1
Recommended Action: Update to version 4.2.3.1, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Customizer
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Leaflet Maps Marker Pro

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: Enable Media Replace

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: Visual Slide Box Builder

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Addons for Beaver Builder

Vulnerability: Authenticated(Contributor+) Directory Traversal to Arbitrary File Download
Patched Version: 1.35.14
Recommended Action: Update to version 1.35.14, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Missing Authorization to Order Information Disclosure
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Simple Calendar – Google Calendar Plugin

Vulnerability: Cross-Site Request Forgery via duplicate_feed
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Core: WordPress

Vulnerability: Directory Traversal
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Core: WordPress

Vulnerability: 6.3.1
Patched Version: 4.7.27
Recommended Action: Update to one of the following versions, or a newer patched version: 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2

Plugin: gravity-file-ajax-upload-free

Vulnerability: Unrestricted File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Companion Auto Update

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Waiting: One-click countdowns

Vulnerability: Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 10Web Social Post Feed

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.1.27
Recommended Action: Update to version 1.1.27, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Cross-Site Scripting via label
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version

Plugin: Visual Composer Website Builder

Vulnerability: Authenticated Stored Cross-Site Scripting via ‘Text Block’
Patched Version: 45.0.1
Recommended Action: Update to version 45.0.1, or a newer patched version

Plugin: Multi Step Form

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.32
Recommended Action: Update to version 7.32, or a newer patched version

Plugin: Simple Basic Contact Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 20221201
Recommended Action: Update to version 20221201, or a newer patched version

Plugin: TemplatesNext ToolKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: WPGraphQL

Vulnerability: Authenticated (Editor+) Server-Side Request Forgery
Patched Version: 1.14.6
Recommended Action: Update to version 1.14.6, or a newer patched version

Plugin: Accept Donations with PayPal & Stripe

Vulnerability: Reflected Cross-Site Scripting via Page
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Job Board by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WPGet API – Connect to any external REST API

Vulnerability: 2.2.1
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Missing Authorization
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version

Plugin: Form Builder | Create Responsive Contact Forms

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.9.8.4
Recommended Action: Update to version 1.9.8.4, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Foliopress WYSIWYG

Vulnerability: Cross-Site Scripting
Patched Version: 2.6.8.5
Recommended Action: Update to version 2.6.8.5, or a newer patched version

Plugin: VK All in One Expansion Unit

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 9.87.1.0
Recommended Action: Update to version 9.87.1.0, or a newer patched version

Plugin: WP Email Users

Vulnerability: SQL Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Social Slider Feed

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: BNG Gateway For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YouTube Video Inserter

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Online Lesson Booking

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.8.7
Recommended Action: Update to version 0.8.7, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Missing Authorization Checks
Patched Version: 6.4.1
Recommended Action: Update to version 6.4.1, or a newer patched version

Plugin: WordPress Email Marketing Plugin – WP Email Capture

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.10
Recommended Action: Update to version 3.10, or a newer patched version

Plugin: Simple Page Transition

Vulnerability: Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP RSS By Publishers

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Sensitive Information Exposure
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: WP Reroute Email

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: YASR – Yet Another Star Rating Plugin for WordPress

Vulnerability: Missing Authorization via init
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.3.27
Recommended Action: Update to version 3.3.27, or a newer patched version

Plugin: Localize My Post

Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide My WP – Amazing Security Plugin for WordPress!

Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version

Plugin: Slideshow Gallery

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: TweetScribe

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Payment Gateway per Category

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Optin Forms – Simple List Building Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Wbcom Designs – BuddyPress Group Reviews

Vulnerability: Unauthorized AJAX Actions due to Nonce Bypass
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.3.10
Recommended Action: Update to version 7.3.10, or a newer patched version

Plugin: WP-ViperGB

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.16
Recommended Action: Update to version 1.3.16, or a newer patched version

Plugin: FoxyPress

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CT Commerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Instagram for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Reflected Cross-Site Scripting via ‘event_id’
Patched Version: 3.1.6
Recommended Action: Update to version 3.1.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Unrestricted SVG Uploads
Patched Version: 3.0.14
Recommended Action: Update to version 3.0.14, or a newer patched version

Plugin: External Media

Vulnerability: Authenticated(Author+) File Upload to Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YouTube Playlist Player

Vulnerability: Cross-Site Request Forgery in ytpp_settings
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: CSV Injection
Patched Version: 2.9.28
Recommended Action: Update to version 2.9.28, or a newer patched version

Plugin: Fast Flow

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Products Quick View for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Creative Contact Form

Vulnerability: Arbitrary File Upload
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Very Simple Quiz

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event Expresso Free

Vulnerability: Authenticated SQL Injection
Patched Version: 3.1.37.12.L
Recommended Action: Update to version 3.1.37.12.L, or a newer patched version

Plugin: Generate PDF using Contact Form 7

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Information Disclosure
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.

Vulnerability: Subscriber+ Arbitrary File/Folder Deletion
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: WPtouch – Make your WordPress Website Mobile-Friendly

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.44
Recommended Action: Update to version 4.3.44, or a newer patched version

Plugin: MainWP File Uploader Extension

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Plugin: Superb slideshow gallery

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 13.2
Recommended Action: Update to version 13.2, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 3.3.6
Recommended Action: Update to one of the following versions, or a newer patched version: 3.3.6, 3.4.8, 3.5.9, 3.6.6, 3.7.2, 3.8.2, 3.9.4, 4.0.2, 4.1.2, 4.2.3, 4.3.4, 4.4.2, 4.5.3, 4.6.3, 4.7.2, 4.8.1, 4.9.3, 5.0.1, 5.1.1, 5.2.3, 5.3.1, 5.4.2, 5.5.1, 5.5.2

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Multiple SQL Injections
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: Continuous Image Carousel With Lightbox

Vulnerability: Reflected Cross-Site Scripting via search_term, order_by and order_pos
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: PDF Block

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Multicons [ Multiple Favicons ]

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: JobSearch WP Job Board

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: WP CleanFix

Vulnerability: Remote Code Execution
Patched Version: 5.0.0
Recommended Action: Update to version 5.0.0, or a newer patched version

Plugin: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.19.2
Recommended Action: Update to version 2.19.2, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Sensitive Information Exposure
Patched Version: 7.3.15.727
Recommended Action: Update to version 7.3.15.727, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Mobile-Friendly Image Gallery <= 1.8.19
Patched Version: 1.8.20
Recommended Action: Update to version 1.8.20, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Unauthenticated Stored Cross-Site Scripting via REST API
Patched Version: 9.0.28
Recommended Action: Update to version 9.0.28, or a newer patched version

Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Vulnerability: Directory Traversal
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: WP-Business Directory

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.9.1
Recommended Action: Update to version 1.6.9.1, or a newer patched version

Plugin: G-Lock Double Opt-in Manager

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Read more By Adam

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flipbox – Awesomes Flip Boxes Image Overlay

Vulnerability: Authenticated (Admin+) Arbitrary Options Update
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Magee Shortcodes

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass to Information Disclosure
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1

Plugin: Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more!

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.9.4
Recommended Action: Update to version 1.4.9.4, or a newer patched version

Plugin: Export All URLs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Site Reviews

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 5.13.1
Recommended Action: Update to version 5.13.1, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Mediabay – Media Library Folders

Vulnerability: Missing Authorization via AJAC actions
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Amazon Affiliate Link Localizer

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Block Plugin Update

Vulnerability: Cross-Site Request Forgery via bspu_plugin_select.php
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.63
Recommended Action: Update to version 1.5.63, or a newer patched version

Plugin: Easy Updates Manager

Vulnerability: Insufficient Restrictions on Option Changes
Patched Version: 8.0.5
Recommended Action: Update to version 8.0.5, or a newer patched version

Plugin: Cookies by JM

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Cart Link for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: WHIZZ

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Members Import

Vulnerability: Self Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: New User Approve

Vulnerability: Cross-Site Request Forgery via admin_notices
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 2.6.85
Recommended Action: Update to version 2.6.85, or a newer patched version

Plugin: Elementor Forms Google Sheet Connector Pro

Vulnerability: Reflected Cross-Site Scripting via ‘code’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Smoothscroller

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Booster Plus for WooCommerce

Vulnerability: Cross-Site Request Forgery to File Deletion
Patched Version: 5.6.5
Recommended Action: Update to version 5.6.5, or a newer patched version

Plugin: WP Page Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Missing Authorization on ajax_edit_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Kanban Boards for WordPress

Vulnerability: Authenticated (Administrator+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Shortcode IMDB

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.4.7
Recommended Action: Update to version 1.8.4.7, or a newer patched version

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Multiple Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Leyka

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.30
Recommended Action: Update to version 3.30, or a newer patched version

Plugin: Nextend Twitter Connect

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Connections Business Directory

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 10.4.3
Recommended Action: Update to version 10.4.3, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_multiple_files_for_post
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Subscriber+ Arbitrary File Upload
Patched Version: 4.24
Recommended Action: Update to version 4.24, or a newer patched version

Plugin: Testimonial Slider – Free Testimonials Slider Plugin

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.5.8.4
Recommended Action: Update to version 3.5.8.4, or a newer patched version

Plugin: WP-Table

Vulnerability: Remote File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: YITH WooCommerce Bulk Product Editing

Vulnerability: Authenticated Settings Change
Patched Version: 1.2.14
Recommended Action: Update to version 1.2.14, or a newer patched version

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Cross-Site Scripting
Patched Version: 4.29.9
Recommended Action: Update to version 4.29.9, or a newer patched version

Plugin: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress RokBox

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Monitor

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: Speed Booster Pack ⚡ PageSpeed Optimization Suite

Vulnerability: Admin+ SQL Injection
Patched Version: 4.3.3.1
Recommended Action: Update to version 4.3.3.1, or a newer patched version

Plugin: User Login History

Vulnerability: Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Post List Designer by Category – List Category Post Or Recent Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: If Menu – Visibility control for Menus

Vulnerability: Missing Authorization to Admin Settings Modification
Patched Version: 0.17
Recommended Action: Update to version 0.17, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Missing Authorization via handleBeforeGateway
Patched Version: 2.33.2
Recommended Action: Update to version 2.33.2, or a newer patched version

Plugin: Kama Click Counter

Vulnerability: Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: WebP Express

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.14.11
Recommended Action: Update to version 0.14.11, or a newer patched version

Plugin: Welcart e-Commerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: 0mk Shortener

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Cross-Site Request Forgery to Custom Field Creation
Patched Version: 1.2.91
Recommended Action: Update to version 1.2.91, or a newer patched version

Plugin: Jquery news ticker

Vulnerability: Authenticated (Subscriber+) SQL Injection via Shortcode
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Nelio AB Testing

Vulnerability: Server Side Request Forgery
Patched Version: 4.5.9
Recommended Action: Update to version 4.5.9, or a newer patched version

Plugin: WP Plugin Lister

Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: W3 Total Cache

Vulnerability: Cross-Site Scripting via request_id
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: Share and Follow

Vulnerability: Cross-Site Scripting
Patched Version: 1.80.4
Recommended Action: Update to version 1.80.4, or a newer patched version

Plugin: screets-lcx

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: IMPress Listings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version

Plugin: WP REST API (WP API)

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Google SEO Pressor for Rich snippets

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: PubyDoc – Data Tables and Charts

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Vospari Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’
Patched Version: 20230811
Recommended Action: Update to version 20230811, or a newer patched version

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode

Vulnerability: Cross-Site Scripting via social_icon_1 parameter
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version

Plugin: Simple Page Ordering

Vulnerability: Regular Expression Denial of Service
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: ARI Fancy Lightbox – Popup for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Photospace Responsive Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Vulnerability: Authenticated (Administrator+) SQL Injection via orderby
Patched Version: 2.3.29
Recommended Action: Update to version 2.3.29, or a newer patched version

Plugin: FontMeister – The Font Management Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Request Forgery Protection Bypass
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: Greeklish-permalink

Vulnerability: Missing Authorization via cyrtrans_ajax_old AJAX action
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: Post to CSV by BestWebSoft

Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 12.0.8
Recommended Action: Update to version 12.0.8, or a newer patched version

Plugin: CM WordPress Search And Replace Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: WP-RecentComments

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Erident Custom Login and Dashboard

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Zoho SalesIQ – Live chat, chatbots, and visitor tracking

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Lava Directory Manager

Vulnerability: Unauthenticated Stored Cross-Site Scripting via New Listing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP OAuth Server (OAuth Authentication)

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Deletion (wo_ajax_remove_client)
Patched Version: 4.2.5
Recommended Action: Update to version 4.2.5, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Unauthenticated Blind SQL Injection via time Parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: Advanced Forms for ACF

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: iFeature Slider

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mailrelay

Vulnerability: Cross-Site Request Forgery via render_admin_page
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Cookie Information | Free GDPR Consent Solution

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: WPS Child Theme Generator

Vulnerability: Directory Traversal
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: My Tickets – Accessible Event Ticketing

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.11
Recommended Action: Update to version 1.9.11, or a newer patched version

Plugin: WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: SlimStat Analytics

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version

Plugin: Mingle Forum

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.33.2
Recommended Action: Update to version 1.0.33.2, or a newer patched version

Plugin: WordPress Users

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.13.60
Recommended Action: Update to version 1.13.60, or a newer patched version

Plugin: WP-DBManager

Vulnerability: Arbitrary File Read
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Authenticated (Contributor+) Stored Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: WP eCommerce

Vulnerability: SQL Injection
Patched Version: 3.11.4
Recommended Action: Update to version 3.11.4, or a newer patched version

Plugin: Registrations for the Events Calendar – Event Registration Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 3.5.25
Recommended Action: Update to version 3.5.25, or a newer patched version

Plugin: Post Connector

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: RSS Feed Reader

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.14.12
Recommended Action: Update to version 1.14.12, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Missing Authorization to Non-Arbitrary File Upload
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: 1g-music-share

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stock in & out

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.67
Recommended Action: Update to version 1.3.67, or a newer patched version

Plugin: Shop as a Customer for WooCommerce

Vulnerability: Authenticated (Shop Manager+) Privilege Escalation
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Analyticator

Vulnerability: Cross-Site Scripting
Patched Version: 6.4.9.6
Recommended Action: Update to version 6.4.9.6, or a newer patched version

Plugin: Urvanov Syntax Highlighter

Vulnerability: Cross-Site Request Forgery via init_ajax
Patched Version: 2.8.34
Recommended Action: Update to version 2.8.34, or a newer patched version

Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management

Vulnerability: Cross-Site Request Forgery to Survey Submission
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: WPGraphQL WooCommerce

Vulnerability: Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Hide Post

Vulnerability: Cross-Site Request Forgery via save_bulk_edit_data
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Database Reset

Vulnerability: Privilege Escalation
Patched Version: 3.15
Recommended Action: Update to version 3.15, or a newer patched version

Plugin: Form Builder | Create Responsive Contact Forms

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.8.5
Recommended Action: Update to version 1.9.8.5, or a newer patched version

Plugin: Role Scoper (Obsolete – Please install PublishPress Permissions)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.67
Recommended Action: Update to version 1.3.67, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Cross-Site Scripting
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: WordPress Processing Embed

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Notices

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: InBoundio Marketing

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: Relevanssi – A Better Search (Pro)

Vulnerability: Missing Authorization
Patched Version: 2.16.5
Recommended Action: Update to version 2.16.5, or a newer patched version

Plugin: Participants Database

Vulnerability: Missing Authorization
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Throws SPAM Away

Vulnerability: Cross-Site Request Forgery to Comment Modification
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: WordPress Filter Gallery Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.1.6
Recommended Action: Update to version 0.1.6, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Directory Traversal
Patched Version: 2.0.40
Recommended Action: Update to version 2.0.40, or a newer patched version

Core: WordPress

Vulnerability: Missing Session Cookie Expiration
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Social Media Share Buttons & Social Sharing Icons

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Email Log

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Conditional Fields for Contact Form 7

Vulnerability: Missing Authorization
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Cimy Header Image Rotator

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bloom Email Opt-In

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: NMI Gateway For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Download Monitor

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Meks Audio Player

Vulnerability: Cross-Site Request Forgery via meks_remove_notification
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: efence

Vulnerability: Multiple Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Webmention

Vulnerability: Reflected Cross-Site Scripting via ‘replytocom’
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: WP Downgrade | Specific Core Version

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Contact Form 7 Captcha

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.0.9
Recommended Action: Update to version 0.0.9, or a newer patched version

Plugin: Bradesco Gateway

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: IP Blacklist Cloud

Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version

Plugin: Easy Google Adsense and Banner Ads Manager – AdsforWP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Asgaros Forum

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.15.14
Recommended Action: Update to version 1.15.14, or a newer patched version

Core: WordPress

Vulnerability: Full Path Disclosure
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.9.3
Recommended Action: Update to version 1.3.9.3, or a newer patched version

Plugin: sintic_gallery

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Auto Publish for Google My Business

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8
Recommended Action: Update to version 3.8, or a newer patched version

Plugin: WordPress + Microsoft Office 365 / Azure AD | LOGIN

Vulnerability: Authentication Bypass
Patched Version: 11.7
Recommended Action: Update to version 11.7, or a newer patched version

Plugin: Email Subscriber

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!

Vulnerability: SQL Injection
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: OWM Weather

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version

Plugin: Advance Menu Manager

Vulnerability: Cross-Site Request Forgery to Menu Edition
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Revamp CRM for WooCommerce

Vulnerability: Local File Inclusion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Race Condition
Patched Version: 4.6.5
Recommended Action: Update to version 4.6.5, or a newer patched version

Plugin: Advanced Order Export For WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Contact Form by Supsystic

Vulnerability: SQL Injections
Patched Version: 1.7.11
Recommended Action: Update to version 1.7.11, or a newer patched version

Plugin: illi Link Party!

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Link Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Navis DocumentCloud

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.1.1
Recommended Action: Update to version 0.1.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 7.3.11
Recommended Action: Update to version 7.3.11, or a newer patched version

Plugin: wp-forum

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Noindex Nofollow Tool

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cart66 Lite :: WordPress Ecommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.1.15
Recommended Action: Update to version 1.5.1.15, or a newer patched version

Plugin: Allow PHP in Posts and Pages

Vulnerability: Authenticated (Subscriber+) Remote Code Execution via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Text Hover

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.4.4
Recommended Action: Update to version 1.3.4.4, or a newer patched version

Plugin: School Management System for WordPress

Vulnerability: Authenticated (Student+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MySliderGallery

Vulnerability: Remote File Inclusion
Patched Version: 1.4b5
Recommended Action: Update to version 1.4b5, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.7.6
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.6, 3.8.6, 3.9.4, 4.0.2, 4.1.2

Plugin: WP Meta and Date Remover

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via settings
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Game Server Status

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ClickFunnels

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tiempo.com

Vulnerability: Cross-Site Request Forgery to Shortcode Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Scripting
Patched Version: 3.2.14
Recommended Action: Update to version 3.2.14, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.21.3
Recommended Action: Update to version 2.21.3, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.56
Recommended Action: Update to version 1.3.56, or a newer patched version

Plugin: Accordion Slider

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Mobile Assistant Connector

Vulnerability: SQL Injection
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Embedded Video

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

Vulnerability: Unauthenticated SQL Injection
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Schema App Structured Data

Vulnerability: Missing Authorization via page_init
Patched Version: 1.22.4
Recommended Action: Update to version 1.22.4, or a newer patched version

Plugin: WP-Stats

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.52
Recommended Action: Update to version 2.52, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Sensitive Information Exposure
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Locations

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Remote Code Execution via Remote File Inclusion
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version

Plugin: Recall Products

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Divi Builder

Vulnerability: Arbitrary File Upload
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: Product Category Tree

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Webcam Microphone Screen Recorder HTML5

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.55.5
Recommended Action: Update to version 1.55.5, or a newer patched version

Plugin: Images Asynchronous Load

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.06
Recommended Action: Update to version 1.06, or a newer patched version

Plugin: WordPress Multisite Content Copier/Updater Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: enigma-chartjs

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Album and Image Gallery with Lightbox – Flagallery Photo Portfolio

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.73
Recommended Action: Update to version 1.73, or a newer patched version

Plugin: JS Job Manager

Vulnerability: Arbitrary Plugin Installation/Activation
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Advanced AJAX Product Filters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.4.7
Recommended Action: Update to version 1.5.4.7, or a newer patched version

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: YOP Poll

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: YouTube Embed, Playlist and Popup by WpDevArt

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated Stored Cross-Site Scripting via headers
Patched Version: 21.2.8.1
Recommended Action: Update to version 21.2.8.1, or a newer patched version

Plugin: Simple Wp Sitemap

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Open Close WooCommerce Store – Best Business Schedules Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: OneClick Chat to Order

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Authenticated Path Traversal
Patched Version: 2.4.20
Recommended Action: Update to version 2.4.20, or a newer patched version

Plugin: Easy Redirect Manager

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Vulnerability: Missing Authorization
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: WP Comment Remix

Vulnerability: SQL Injection
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.47
Recommended Action: Update to version 1.1.47, or a newer patched version

Plugin: SupportFlow

Vulnerability: Stored Cross-Site Scripting via discussion ticket title
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Products Filter for WooCommerce <= 1.1.9
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Keyword Meta

Vulnerability: Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WP Support Plus Responsive Ticket System

Vulnerability: Improper Authentication
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Post Views Counter

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Login Block IPs

Vulnerability: IP Spoofing to Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

Vulnerability: WPLegalPages <= 2.7.0
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Image Intense

Vulnerability: SQL Injection
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: SQL Injection
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Cross-Site Request Forgery via consume_post
Patched Version: 2.22
Recommended Action: Update to version 2.22, or a newer patched version

Plugin: Qiniu Uploader

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy PayPal & Stripe Buy Now Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: FavIcon Switcher

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Reset Pro – Most Advanced WordPress Reset Tool

Vulnerability: Missing Authorization to Database Reset
Patched Version: 5.99
Recommended Action: Update to version 5.99, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Ads Box

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cooked – Recipe Management

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.9.1
Recommended Action: Update to version 1.7.9.1, or a newer patched version

Plugin: Simple Tooltips

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: WooCommerce Box Office

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.51
Recommended Action: Update to version 1.1.51, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Local File Inclusion
Patched Version: 0.8.5.8
Recommended Action: Update to version 0.8.5.8, or a newer patched version

Plugin: NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: Disqus Comment System

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.76
Recommended Action: Update to version 2.76, or a newer patched version

Plugin: bbPress Login Register Links On Forum Topic Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: Plotly

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Admin Word Count Column

Vulnerability: Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Tranzila Payment Gateway

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Platinum SEO

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Plausible Analytics

Vulnerability: Reflected Cross-Site Scripting via page-url
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Titan Anti-spam & Security

Vulnerability: IP Spoofing to Protection Bypass
Patched Version: 7.3.1
Recommended Action: Update to version 7.3.1, or a newer patched version

Plugin: GNU-Mailman Integration

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Reflected Cross-Site Scripting via ‘page’ and ‘tab’
Patched Version: 12.1.21
Recommended Action: Update to version 12.1.21, or a newer patched version

Plugin: Turn off all comments

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: stats

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Fast Custom Social Share by CodeBard

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Active Directory Integration / LDAP Integration

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Simple Staff List

Vulnerability: Missing Authorization via ajax_flush_rewrite_rules and staff_member_export
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Affiliate Ads for cbAds.com

Vulnerability: Cross-Site Scripting
Patched Version: 1.35
Recommended Action: Update to version 1.35, or a newer patched version

Plugin: Travel Map

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Simple Fields

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WHMCS Bridge

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4b
Recommended Action: Update to version 6.4b, or a newer patched version

Plugin: Image Gallery – Responsive Photo Gallery

Vulnerability: Reflected Cross-Site Scripting via linkbutton
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.20.24
Recommended Action: Update to version 1.20.24, or a newer patched version

Plugin: Campaign Monitor Forms by Optin Cat

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Options Update via ajax_dismiss_notice
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Dropdown Menu Widget

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: DJ EmailPublish

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version

Plugin: WP Stripe Checkout

Vulnerability: Sensitive Information Exposure via Debug Log
Patched Version: 1.2.2.38
Recommended Action: Update to version 1.2.2.38, or a newer patched version

Plugin: IFrame Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: JetEngine

Vulnerability: Missing Authorization
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More

Vulnerability: Missing Capabilities Check
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: Glass

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version

Core: WordPress

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.0
Recommended Action: Update to one of the following versions, or a newer patched version: 3.0, 3.0.5

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.2.53
Recommended Action: Update to version 1.2.53, or a newer patched version

Plugin: Breadcrumb NavXT

Vulnerability: Sensitive Data Exposure
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: WP Shop

Vulnerability: SQL Injection
Patched Version: 3.4.3.16
Recommended Action: Update to version 3.4.3.16, or a newer patched version

Plugin: WebP Express

Vulnerability: Arbitrary File Read
Patched Version: 0.14.11
Recommended Action: Update to version 0.14.11, or a newer patched version

Plugin: CM Tooltip Glossary

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.9.21
Recommended Action: Update to version 3.9.21, or a newer patched version

Plugin: custom-metas

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Order XML File Export Import for WooCommerce

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Add Social Share Buttons for Whatsapp and Viber

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Salat Times

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: yahoo-updates-for-wordpress

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clean Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.4
Recommended Action: Update to version 1.10.4, or a newer patched version

Plugin: GoCodes

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Community Events

Vulnerability: SQL Injection
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout

Vulnerability: Missing Authorization via _update_shortcode
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: Stock Ticker

Vulnerability: Reflected Cross-Site Scripting in ajax_stockticker_symbol_search_test
Patched Version: 3.23.3
Recommended Action: Update to version 3.23.3, or a newer patched version

Plugin: Pixel Cat – Conversion Pixel Manager

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Multiple SQL Injection
Patched Version: 2.4.4
Recommended Action: Update to version 2.4.4, or a newer patched version

Plugin: FunCaptcha – Anti-Spam CAPTCHA

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.3.3
Recommended Action: Update to version 0.3.3, or a newer patched version

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: We’re Open!

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.42
Recommended Action: Update to version 1.42, or a newer patched version

Plugin: WPPerformanceTester

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Register Plus Redux

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimeter

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Advanced Text Widget

Vulnerability: Missing Authorization via atw_dismiss_admin_notice
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sidebar Widgets by CodeLights

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loan Comparison

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: WP Testimonials

Vulnerability: Cross-Site Request Forgery to Widget Deletion
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Sitemap Index

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads (EDD) Stripe

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WC Captcha

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EELV Newsletter

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: MainWP Wordfence Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Several Parameters
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: BuddyPress

Vulnerability: Missing Authorization to Private Post Activity
Patched Version: 7.3.0
Recommended Action: Update to version 7.3.0, or a newer patched version

Plugin: Database Cleaner

Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version

Plugin: Easy Cookie Law

Vulnerability: Cross-Site Request Forgery via ‘ecl_options’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hotel Listings

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Post Hit Counter

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP All Import Pro

Vulnerability: Reflected Cross Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Media Metadata
Patched Version: 3.7.19
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, 4.6.4, 4.7.3

Plugin: Intelligent WordPress Live Chat Support Plugin | Utilities

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Database Backup for WordPress

Vulnerability: Admin+ SQL Injection
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Data Tables Generator by Supsystic

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.92
Recommended Action: Update to version 1.9.92, or a newer patched version

Plugin: ActivityPub

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Content
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.6
Recommended Action: Update to version 3.4.6, or a newer patched version

Plugin: WordPress Simple Shopping Cart

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.6
Recommended Action: Update to version 3.6, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Sensitive Information Disclosure via Shortcode
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version

Plugin: WP Show Posts

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: BuddyPress

Vulnerability: SQL Injection
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Authenticated (Author+) SQL Injection via cg_copy_start
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Menu Image, Icons made easy

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 3.0.8
Recommended Action: Update to version 3.0.8, or a newer patched version

Plugin: Gmedia Photo Gallery

Vulnerability: Open Proxy
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: SQL Injection
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Nested Pages

Vulnerability: Open Redirect
Patched Version: 3.1.16
Recommended Action: Update to version 3.1.16, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.5.3.1
Recommended Action: Update to version 4.5.3.1, or a newer patched version

Plugin: Pixabay Images

Vulnerability: Authentication Bypass to Arbitrary File Upload
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: CC Child Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.43
Recommended Action: Update to version 1.43, or a newer patched version

Plugin: 2 Click Social Media Buttons

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.34
Recommended Action: Update to version 0.34, or a newer patched version

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Vulnerability: Cross-Site Request Forgery to Product Manipulation
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: VK All in One Expansion Unit

Vulnerability: Stored (Contributor+) Cross-Site Scripting in Profile Setting
Patched Version: 9.88.2.0
Recommended Action: Update to version 9.88.2.0, or a newer patched version

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: 1.16.59
Recommended Action: Update to version 1.16.59, or a newer patched version

Plugin: Easy Photo Album

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Ultimate GDPR & CCPA Compliance Toolkit for WordPress

Vulnerability: Unauthenticated Settings Import & Export
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Limit Login Attempts

Vulnerability: Administrator+ Cross-Site Scripting
Patched Version: 4.0.72
Recommended Action: Update to version 4.0.72, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.8.5
Recommended Action: Update to version 0.8.5, or a newer patched version

Plugin: Add Comments

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery via ajax_save_folder_order
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Loginizer

Vulnerability: Reflected Cross-Site Scripting via ‘name’
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version

Plugin: Hot Linked Image Cacher

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.7
Recommended Action: Update to version 3.9.7, or a newer patched version

Plugin: Webmaster Tools

Vulnerability: Cross-Site Request Forgery vin lionscripts_plg_f
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: yolink Search for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version

Plugin: Sell Media

Vulnerability: Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Advanced uploader

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Shoppable Images

Vulnerability: Missing Authorization
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.3.23
Recommended Action: Update to version 1.2.3.23, or a newer patched version

Plugin: Fudousan Plugin

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Job Board

Vulnerability: Reflected Cross-Site Scripting & Cross-Frame Scripting
Patched Version: 5.7.0
Recommended Action: Update to version 5.7.0, or a newer patched version

Plugin: CLUEVO LMS, E-Learning Platform

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.11.0
Recommended Action: Update to version 1.11.0, or a newer patched version

Plugin: Sort SearchResult By Title

Vulnerability: Cross-Site Request Forgery via settings_page
Patched Version: 11.0
Recommended Action: Update to version 11.0, or a newer patched version

Plugin: Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Social Media Feather | social media sharing

Vulnerability: Missing Authorization
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Frontend Post WordPress Plugin – AccessPress Anonymous Post

Vulnerability: Backdoored
Patched Version: 2.8.1
Recommended Action: Update to version 2.8.1, or a newer patched version

Plugin: Random Banner

Vulnerability: Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: kbslider

Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Vulnerability: Cross-Site Request Forgery via views/tools/diagnostics/information.php
Patched Version: 1.5.7.1
Recommended Action: Update to version 1.5.7.1, or a newer patched version

Plugin: Login With Ajax – Fast Logins, 2FA, Redirects

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.4.1
Recommended Action: Update to version 3.0.4.1, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Administrator+) Directory Traversal to Arbitrary File Read
Patched Version: 5.6.24
Recommended Action: Update to version 5.6.24, or a newer patched version

Plugin: Advanced Shipment Tracking for WooCommerce

Vulnerability: Authenticated WordPress Options Change
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization to Course Category Creation
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image URl
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: AMP+ Plus

Vulnerability: Reflected Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Account Changes
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Cross Site Scripting via post_title parameter
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings

Vulnerability: Cross-Site Request Forgery to Arbitrary File Upload
Patched Version: 7.0.6.2
Recommended Action: Update to version 7.0.6.2, or a newer patched version

Plugin: WP Custom Admin Interface

Vulnerability: Missing Authorization to Transients Deletion
Patched Version: 7.33
Recommended Action: Update to version 7.33, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Arbitrary Post Deletion via Cross-Site Request Forgery
Patched Version: 4.3.25
Recommended Action: Update to version 4.3.25, or a newer patched version

Plugin: ENL Newsletter

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Authenticated Access or Cross-Site Request Forgery leading to SQL Injection via orderby, order Parameters
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Maps by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: HTML5 AV Manager

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Amazonify

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 1.9.13
Recommended Action: Update to version 1.9.13, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version

Plugin: WooPayments: Integrated WooCommerce Payments

Vulnerability: 5.6.1 Authentication Bypass and Privilege Escalation
Patched Version: 5.6.2
Recommended Action: Update to version 5.6.2, or a newer patched version

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management

Vulnerability: Cross-Site Request Forgery via Multiple AJAX Actions
Patched Version: 121
Recommended Action: Update to version 121, or a newer patched version

Plugin: Social Share Boost

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version

Plugin: HTML5 MP3 Player with Playlist Free

Vulnerability: Full Path Disclosure
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: JobBoardWP – Job Board Listings and Submissions

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Mingle Forum

Vulnerability: SQL Injection
Patched Version: 1.0.33
Recommended Action: Update to version 1.0.33, or a newer patched version

Plugin: Dynamic Word Spinner: CSS3 Animated Rotation

Vulnerability: Missing Authorization via save_admin_options
Patched Version: 5.5
Recommended Action: Update to version 5.5, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.77.3
Recommended Action: Update to version 2.0.77.3, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.15
Recommended Action: Update to version 2.88.15, or a newer patched version

Plugin: Category Specific RSS feed Subscription

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.2
Recommended Action: Update to version 3.9.2, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Shortcode-Based Cross-Site Scripting
Patched Version: 9.3
Recommended Action: Update to version 9.3, or a newer patched version

Plugin: PHP Compatibility Checker

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: Gallery – Photo Albums Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.50
Recommended Action: Update to version 1.3.50, or a newer patched version

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload via Path Traversal
Patched Version: 3.6.9
Recommended Action: Update to version 3.6.9, or a newer patched version

Plugin: CBX Bookmark & Favorite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6.9
Recommended Action: Update to version 1.6.9, or a newer patched version

Plugin: User Activity Tracking and Log

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Better Delete Revision

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Vulnerability: Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Bulk Comment Remove

Vulnerability: Cross-Site Request Forgery via brc_admin()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Prevent Landscape Rotation

Vulnerability: Cross-Site Request Forgery via adminpage.php
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: MemberSonic Lite Membership Site Plugin

Vulnerability: Authentication Bypass
Patched Version: 1.302
Recommended Action: Update to version 1.302, or a newer patched version

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.19
Recommended Action: Update to version 2.0.19, or a newer patched version

Plugin: flickr-picture-backup

Vulnerability: Arbitrary file upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Min Max Control – Min Max Quantity & Step Control for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: BookX

Vulnerability: Path Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Store Locator WordPress

Vulnerability: Reflected Cross-Site Scripting via ‘asl-nounce’
Patched Version: 1.4.13
Recommended Action: Update to version 1.4.13, or a newer patched version

Plugin: WordPress Spreadsheet

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Konnichiwa! Membership

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Multisite Content Copier/Updater

Vulnerability: Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: IMPress for IDX Broker

Vulnerability: Authenticated Arbitrary Post Creation, Modification, and Deletion
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Missing Authorization on REST API routes
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Advanced Woo Search

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.78
Recommended Action: Update to version 2.78, or a newer patched version

Plugin: WooCommerce

Vulnerability: Insecure Direct Object Reference via order_id Parameter
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Ad Inserter – Ad Manager & AdSense Ads

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Registration | User Registration and Invitation Codes Plugin for WordPress

Vulnerability: PHP Object Injection
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Contest Gallery Pro

Vulnerability: Authenticated (Administrator+) SQL Injection via wp_user_id
Patched Version: 19.1.5
Recommended Action: Update to version 19.1.5, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Missing Authorization via fire_cron REST endpoint
Patched Version: 1.24.7
Recommended Action: Update to version 1.24.7, or a newer patched version

Plugin: Pixel Cat – Conversion Pixel Manager

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Core: WordPress

Vulnerability: Reflected Cross-Site Scripting via Global Variables
Patched Version: 3.7.35
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.7, 5.2.8, 5.3.5, 5.4.3, 5.5.2

Plugin: SpiderCalendar

Vulnerability: SQL Injection
Patched Version: 1.5.52
Recommended Action: Update to version 1.5.52, or a newer patched version

Plugin: Debug Assistant

Vulnerability: Cross-Site Request Forgery via imlt_create_admin
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: MainWP Post Dripper Extension

Vulnerability: Missing Authorization to Arbitrary Page/Post Deletion
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: FareHarbor for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 1.9.25
Recommended Action: Update to version 1.9.25, or a newer patched version

Plugin: Floating Action Button

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Clicky by Yoast

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.9.8
Recommended Action: Update to version 2.9.8, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via Comments via URLs
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: Easy Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.3
Recommended Action: Update to version 3.9.3, or a newer patched version

Plugin: Prismatic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: Auto-hyperlink URLs

Vulnerability: Tab Nabbing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 13.2.6
Recommended Action: Update to version 13.2.6, or a newer patched version

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: wordTube

Vulnerability: Remote File Inclusion
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: Easy Hide Login

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: FoxyPress

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.0.2
Recommended Action: Update to version 3.0.2, or a newer patched version

Plugin: Event Calendar – Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Movies

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Customer Reviews for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.12.1
Recommended Action: Update to version 5.12.1, or a newer patched version

Core: WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2

Plugin: Form Builder | Create Responsive Contact Forms

Vulnerability: Unauthenticated CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: St-Daily-Tip

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Chatbot for Messenger

Vulnerability: Missing Authorization
Patched Version: 4.8
Recommended Action: Update to version 4.8, or a newer patched version

Plugin: HTTP Auth

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more

Vulnerability: Authenticated (Subscriber+) SQL Injection via Export
Patched Version: 1.2.90
Recommended Action: Update to version 1.2.90, or a newer patched version

Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: WP Header Images

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: UserAgent-Spy

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: 2.46
Recommended Action: Update to version 2.46, or a newer patched version

Plugin: WP Blog and Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce

Vulnerability: Cross-Site Request Forgery to Order Information Disclosure
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version

Plugin: Hana Flv Player

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version

Plugin: Highlight Sitewide Notice, Text, Button Menu

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version

Plugin: WP Easy Gallery – WordPress Gallery Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Content Audit

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Husker Portfolio

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ipBlockList

Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin

Vulnerability: Authenticated SQL Injection
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.4.0
Recommended Action: Update to version 8.4.0, or a newer patched version

Plugin: Product Slider for WooCommerce by PickPlugins

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.42
Recommended Action: Update to version 1.13.42, or a newer patched version

Plugin: WP Repost

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scritping
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BZScore – Live Score

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcode Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Faculty Staff and Student Directory Plugin – Campus Directory

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: Auto Affiliate Links

Vulnerability: SQL Injection
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Easy Digital Downloads – PDF stamper

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Authenticated Cross-Site Scripting in Various Blocks
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Core: WordPress

Vulnerability: Authenticated Information Disclosure via REST-API
Patched Version: 3.7.40
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3

Plugin: Contact Form DB – Elementor

Vulnerability: Elementor <= 1.7
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Easy Registration Forms

Vulnerability: CSV Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Profile Extra Fields by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Wicked Folders

Vulnerability: Cross-Site Request Forgery on ajax_save_folder
Patched Version: 2.18.17
Recommended Action: Update to version 2.18.17, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.4
Recommended Action: Update to version 2.0.4, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Authenticated (Subscriber+) Path Traversal to Arbitrary File Deletion
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service via Long Password
Patched Version: 3.7.5
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.5, 3.8.5, 3.9.3, 4.0.1

Plugin: Simple Event Planner

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Form Settings
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: Easy Org Chart

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Social Media Links

Vulnerability: Remote File Inclusion via fsml-hideshow.js.php wpp parameter
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Core: WordPress

Vulnerability: Authorization Bypass
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Duplicate Page

Vulnerability: No subtitle
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: Flickr Justified Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Contact Form Builder, Contact Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Lazy Social Comments

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Sensitive Data Exposure
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: Sociable

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP All Export Pro

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: WC Sales Notification

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.2
Recommended Action: Update to version 3.6.2, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: CSV Injection
Patched Version: 3.3.14
Recommended Action: Update to version 3.3.14, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization
Patched Version: 1.14.8
Recommended Action: Update to version 1.14.8, or a newer patched version

Plugin: YourMembership Single Sign On – YM SSO Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: LayerSlider

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.7.10
Recommended Action: Update to version 7.7.10, or a newer patched version

Plugin: GD Rating System

Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Social Feed Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: WP CSV Exporter

Vulnerability: CSV Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: MainWP UpdraftPlus Extension

Vulnerability: Missing Authorization to Arbitrary Plugin Activation
Patched Version: 4.0.7
Recommended Action: Update to version 4.0.7, or a newer patched version

Plugin: CPT Bootstrap Carousel

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Authenticated (Admin+) SQL Injection via $email value
Patched Version: 9.9.4
Recommended Action: Update to version 9.9.4, or a newer patched version

Plugin: Timed Content

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.73
Recommended Action: Update to version 2.73, or a newer patched version

Plugin: WP Membership

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Qode Essential Addons

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: wp-unique-article-header-image

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PowerPress Podcasting plugin by Blubrry

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 10.0.2
Recommended Action: Update to version 10.0.2, or a newer patched version

Plugin: Download Manager

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.5.9
Recommended Action: Update to version 2.5.9, or a newer patched version

Plugin: History Timeline for Biography, Company History & Event Timeline

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Vietnam Checkout

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Woocommerce Follow-ups

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: surveys

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 4.1.3.1
Recommended Action: Update to version 4.1.3.1, or a newer patched version

Plugin: Media Library Categories

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: WP Page Numbers

Vulnerability: Cross-Site Request Forgery via wp_page_numbers_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clone

Vulnerability: Sensitive Information Exposure
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: Google +1 by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: SEO Scout: Content Optimization, Keyword Research, Rank Tracking + SEO Testing

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Slider Feed

Vulnerability: Authenticated (Scubscriber+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Bootstrap Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wpForo Forum

Vulnerability: Privilege Escalation
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Scripting
Patched Version: 2.9.52
Recommended Action: Update to version 2.9.52, or a newer patched version

Plugin: MAZ Loader – Preloader Builder for WordPress

Vulnerability: SQL Injection
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: BP Social Connect

Vulnerability: Authentication Bypass
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: OAuth Single Sign On – SSO (OAuth Client)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.20.3
Recommended Action: Update to version 6.20.3, or a newer patched version

Plugin: Custom Login Page

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accept Stripe Payments

Vulnerability: Insecure Direct Object Reference
Patched Version: 2.0.80
Recommended Action: Update to version 2.0.80, or a newer patched version

Plugin: Participants Database

Vulnerability: Cross Site Request Forgery
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Directory Listings WordPress plugin – uListing

Vulnerability: Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: page-flip-image-gallery

Vulnerability: Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ReFlex Gallery » WordPress Photo Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Disable Right Click For WP

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 5.11.2
Recommended Action: Update to version 5.11.2, or a newer patched version

Plugin: Duplicate Post Page Menu & Custom Post Type

Vulnerability: Missing Authorization
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Cross-Site Request Forgery via getPluginStatus
Patched Version: 3.2.11
Recommended Action: Update to version 3.2.11, or a newer patched version

Plugin: Convert Pro

Vulnerability: Missing Authorization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: On Page SEO + Social Live Chat (Formerly OPS)

Vulnerability: No subtitle
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: VM Backups

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.66
Recommended Action: Update to version 1.2.66, or a newer patched version

Plugin: WP Symposium

Vulnerability: SQL Injections
Patched Version: 12.12
Recommended Action: Update to version 12.12, or a newer patched version

Plugin: RokStories

Vulnerability: Cross-Site Scripting
Patched Version: 1.26
Recommended Action: Update to version 1.26, or a newer patched version

Plugin: ARI Stream Quiz – WordPress Quizzes Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Google Analytics Top Content Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: myghpay WooCommerce Payment Gateway

Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Product Table Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Lean WP

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CallRail Phone Call Tracking

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.4.10
Recommended Action: Update to version 0.4.10, or a newer patched version

Plugin: Database Backup for WordPress

Vulnerability: Authenticated Stored Cross-Site Scripting via backup_receipient Parameter
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Scribble Maps

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Re-attacher by BestWebSoft

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Insert Estimated Reading Time

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BSK Forms Blacklist

Vulnerability: Authenticated (Administrator+) SQL Injection via ‘order’ and ‘orderby’
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Videos sync PDF

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: XML Sitemap Generator for Google

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: AdPush

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.30
Recommended Action: Update to version 1.30, or a newer patched version

Plugin: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 7.6.7
Recommended Action: Update to version 7.6.7, or a newer patched version

Plugin: Restrict Categories

Vulnerability: Reflected Cross-Site Scripting via rc-search
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.7
Recommended Action: Update to one of the following versions, or a newer patched version: 1.8.7, 1.9.10, 2.0.5, 2.1.11, 2.2.9, 2.3.7

Plugin: WP Google Maps Pro

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version

Plugin: StagTools

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: ULeak Security & Monitoring Plugin

Vulnerability: Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loco Translate

Vulnerability: Authenticated PHP Code Injection
Patched Version: 2.5.4
Recommended Action: Update to version 2.5.4, or a newer patched version

Plugin: Video Background

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Directory Traversal
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Channel Reset
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: A/B Test for WordPress

Vulnerability: Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Contact form 7 DB

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: ElasticPress

Vulnerability: Prototype Pollution
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Arbitrary File Upload
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: WP Docs

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: Abandoned Cart Recovery for WooCommerce

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.0.4.1
Recommended Action: Update to version 1.0.4.1, or a newer patched version

Plugin: AllWebMenus WordPress Menu Plugin

Vulnerability: Remote File Inclusion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Import Export Suite for CSV and XML Datafeed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version

Plugin: Medialist

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Total Security

Vulnerability: Cross-Site Scripting
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Plugin: LionScripts: IP Blocker Lite

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rencontre – Dating Site

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions

Vulnerability: Cross-Site Scripting
Patched Version: 2.44
Recommended Action: Update to version 2.44, or a newer patched version

Plugin: OSD Subscribe

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: QuBot – Chatbot Builder with Templates

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Sliding Social Icons

Vulnerability: Cross-Site Request Forgery and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Futurio Extra

Vulnerability: Sensitive Information Disclosure
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: SureTriggers: All-in-One WordPress Automation

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.24
Recommended Action: Update to version 1.0.24, or a newer patched version

Plugin: Seriously Simple Stats

Vulnerability: Authenticated (Podcast manager+) SQL Injection via order_by
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Easy Appointments

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 3.11.10
Recommended Action: Update to version 3.11.10, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: 1.2.997
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Coru LFMember

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mailjet Email Marketing

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version

Plugin: stripshow

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Global Flash Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 0.15.2
Recommended Action: Update to version 0.15.2, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 5.2.5
Recommended Action: Update to version 5.2.5, or a newer patched version

Plugin: Sticky Menu & Sticky Header

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.21
Recommended Action: Update to version 2.21, or a newer patched version

Plugin: Dynamic Widgets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Minimum Purchase for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JetBackup – WP Backup, Migrate & Restore

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.47
Recommended Action: Update to version 1.1.47, or a newer patched version

Plugin: A2 Optimized WP – Turbocharge and secure your WordPress site

Vulnerability: Cross Site Request Forgery
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: File Manager

Vulnerability: Unauthenticated Resource Access to Site Backups
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: MainWP Matomo Extension

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: MailPoet Newsletters (Previous)

Vulnerability: Spam Injection
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Captcha Bypass
Patched Version: 1.15.21
Recommended Action: Update to version 1.15.21, or a newer patched version

Plugin: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 13.1.6
Recommended Action: Update to version 13.1.6, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.49
Recommended Action: Update to version 3.2.49, or a newer patched version

Plugin: Termly – GDPR/CCPA Cookie Consent Banner

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.10
Recommended Action: Update to version 2.3.10, or a newer patched version

Plugin: Live Chat with Messenger Customer Chat

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: DMSGuestbook

Vulnerability: SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sermon Browser

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 0.45.16
Recommended Action: Update to version 0.45.16, or a newer patched version

Plugin: Album and Image Gallery plus Lightbox

Vulnerability: Missing Authorization
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Reflected Cross-Site Scripting via font-size
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: WP Frontend Profile

Vulnerability: Stored Cross-Site Scripting
Patched Version: 0.2.2
Recommended Action: Update to version 0.2.2, or a newer patched version

Plugin: Logo Carousel – Responsive Logo Slider, Logo Showcase, and Clients Logo Gallery

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.4.2
Recommended Action: Update to version 3.4.2, or a newer patched version

Plugin: Ship To eCourier

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Cimy User Manager

Vulnerability: Arbitrary File Read
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Magic Post Voice

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Syntax

Vulnerability: Remote Code Execution
Patched Version: 0.9.10
Recommended Action: Update to version 0.9.10, or a newer patched version

Plugin: Google Map

Vulnerability: SQL Injection
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Advanced Booking Calendar

Vulnerability: Cross Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Gallery Metabox

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Subscribe

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.13
Recommended Action: Update to version 1.2.13, or a newer patched version

Plugin: Simple Portfolio Gallery

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: eCommerce Product Catalog Plugin for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: WP Hide Pages

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Support Board

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Recently Viewed Products

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: CodeBard's Patron Button and Widgets for Patreon

Vulnerability: Reflected Cross-Site Scripting via ‘site_account’
Patched Version: 2.1.9
Recommended Action: Update to version 2.1.9, or a newer patched version

Plugin: Exquisite PayPal Donation

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Insecure Content Warning

Vulnerability: Remote Code Execution
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version

Plugin: Simple:Press Forum

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Forum Replies
Patched Version: 6.8.1
Recommended Action: Update to version 6.8.1, or a newer patched version

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Authenticated SQL Injection via Orderby
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: 2.6.7.6
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Advanced Schedule Posts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) PHAR Deserialization
Patched Version: 3.2.50
Recommended Action: Update to version 3.2.50, or a newer patched version

Plugin: NextCellent Gallery – NextGEN Legacy

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.9.18
Recommended Action: Update to version 1.9.18, or a newer patched version

Plugin: Email Artillery (MASS EMAIL)

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elementor Addon Elements

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.12.8
Recommended Action: Update to version 1.12.8, or a newer patched version

Plugin: Export and Import Users and Customers

Vulnerability: Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: BulletProof Security

Vulnerability: Sensitive Information Disclosure
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 5.5.2
Recommended Action: Update to version 5.5.2, or a newer patched version

Plugin: Crelly Slider

Vulnerability: SQL Injection
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Etsy Shop

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 7.11.35
Recommended Action: Update to version 7.11.35, or a newer patched version

Plugin: Powerplay Gallery

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Local File Inclusion
Patched Version: 3.8.12
Recommended Action: Update to version 3.8.12, or a newer patched version

Plugin: Easy Modal

Vulnerability: SQL Injection
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Table Generator

Vulnerability: Missing Authorization to Table Modification
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Page Ordering

Vulnerability: Open Redirect
Patched Version: 2.4.3
Recommended Action: Update to version 2.4.3, or a newer patched version

Plugin: GD Rating System

Vulnerability: Directory Traversal
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Download Monitor

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: Go Pricing – WordPress Responsive Pricing Tables

Vulnerability: WordPress Responsive Pricing Tables <= 3.3.19
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: 404 Solution

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.35.0
Recommended Action: Update to version 2.35.0, or a newer patched version

Plugin: CPT Shortcode Generator

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Font Awesome

Vulnerability: API Token Exposure
Patched Version: 4.0.0-rc17
Recommended Action: Update to version 4.0.0-rc17, or a newer patched version

Plugin: Better WordPress reCAPTCHA (with no CAPTCHA reCAPTCHA)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Resim Ara

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Time Sheets

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Wordfence Security – Firewall, Malware Scan, and Login Security

Vulnerability: Stored Cross-Site Scripting via HTTP_HOST
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Complianz Premium – GDPR/CCPA Cookie Consent

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authorization Bypass
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: OOPSpam Anti-Spam

Vulnerability: Cross-Site Request Forgery via empty_ham_entries and empty_spam_entries
Patched Version: 1.1.45
Recommended Action: Update to version 1.1.45, or a newer patched version

Plugin: Stars Rating

Vulnerability: Denial of Service
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version

Plugin: Seed Social

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Mail logging – WP Mail Catcher

Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0.0
Recommended Action: Update to version 2.6.0.0, or a newer patched version

Plugin: Popups – WordPress Popup

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paid Memberships Pro CCBill Gateway

Vulnerability: Insufficient Authorization
Patched Version: 0.4
Recommended Action: Update to version 0.4, or a newer patched version

Plugin: SpiderVPlayer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Export WP Page to Static HTML/CSS

Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: StoryChief

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 1.0.31
Recommended Action: Update to version 1.0.31, or a newer patched version

Plugin: WOWRestro – Online Ordering System For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: WordPress Popular Posts

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.3.3
Recommended Action: Update to version 5.3.3, or a newer patched version

Plugin: ActiveCampaign – Forms, Site Tracking, Live Chat

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.1.12
Recommended Action: Update to version 8.1.12, or a newer patched version

Plugin: Popup contact form

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: Currency Converter Widget – Exchange Rates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Arbitrary File Upload
Patched Version: 2.0.66
Recommended Action: Update to version 2.0.66, or a newer patched version

Plugin: SEO Redirection Plugin – 301 Redirect Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.1
Recommended Action: Update to version 9.1, or a newer patched version

Plugin: Mail Masta

Vulnerability: SQL Injection via list_id parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.76
Recommended Action: Update to version 1.3.76, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: BackupBuddy

Vulnerability: Sensitive Information Disclosure
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: WatchTowerHQ

Vulnerability: Type Juggling to Authentication Bypass in check_ota
Patched Version: 3.6.17
Recommended Action: Update to version 3.6.17, or a newer patched version

Plugin: Launchpad – Coming Soon & Maintenance Mode Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YouTube Embed

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: eShop

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version

Plugin: Software License Manager

Vulnerability: Cross-Site Request Forgery leading to Arbitrary Domain Deletion
Patched Version: 4.5.1
Recommended Action: Update to version 4.5.1, or a newer patched version

Plugin: Jupiter X Core

Vulnerability: 3.3.0
Patched Version: 3.3.5
Recommended Action: Update to version 3.3.5, or a newer patched version

Plugin: My YouTube Channel

Vulnerability: Missing Authorization
Patched Version: 3.23.0
Recommended Action: Update to version 3.23.0, or a newer patched version

Plugin: WooCommerce Customers Manager

Vulnerability: Authenticated Account Creation and Privilege Escalation
Patched Version: 26.5
Recommended Action: Update to version 26.5, or a newer patched version

Plugin: Accordion

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.2.43
Recommended Action: Update to version 2.2.43, or a newer patched version

Plugin: Booster Plus for WooCommerce

Vulnerability: Authenticated (Subscriber+) Order Modification
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: Copyright Proof

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mail On Update

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version

Plugin: MouseWheel Smooth Scroll

Vulnerability: Plugin’s Setting Update via Cross-Site Request Forgery
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version

Plugin: Twitter Friends Widget

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Request Forgery to Field Import and PHP Object Injection
Patched Version: 3.6.10
Recommended Action: Update to version 3.6.10, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.4.07
Recommended Action: Update to version 1.4.07, or a newer patched version

Plugin: RapidLoad – Optimize Web Vitals Automatically

Vulnerability: Cross-Site Request Forgery via ‘clear_uucss_logs’
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.0.46
Recommended Action: Update to version 2.0.46, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Advanced Contact form 7 DB

Vulnerability: Authenticated Arbitrary File Deletion
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Uploadify

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Booking Calendar

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Cookie Notice & Consent

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: Checklist

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: Cardinity Payment Gateway for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: All-In-One Security (AIOS) – Security and Firewall

Vulnerability: Cross-Site Scripting
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version

Plugin: Surbma | GDPR Proof Cookie Consent & Notice Bar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 17.6.0
Recommended Action: Update to version 17.6.0, or a newer patched version

Plugin: TS Webfonts for さくらのレンタルサーバ

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Stored Cross-Site Scripting
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: Gallery Bank – WordPress Photo Gallery Plugin

Vulnerability: SQL Injection
Patched Version: 3.0.330
Recommended Action: Update to version 3.0.330, or a newer patched version

Plugin: Yoast SEO

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Modal Window – create popup modal window

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Comment Highlighter

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
Patched Version: 0.0.9.19
Recommended Action: Update to version 0.0.9.19, or a newer patched version

Plugin: Maintenance Mode by Supsystic

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: No subtitle
Patched Version: 2.2.15
Recommended Action: Update to version 2.2.15, or a newer patched version

Plugin: wordcamp-talks

Vulnerability: CSV Injection
Patched Version: 1.0.0-beta3
Recommended Action: Update to version 1.0.0-beta3, or a newer patched version

Plugin: WatuPRO

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.0.8
Recommended Action: Update to version 4.9.0.8, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Arbitrary File Upload
Patched Version: 2.6.1.4
Recommended Action: Update to version 2.6.1.4, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 22.5
Recommended Action: Update to version 22.5, or a newer patched version

Plugin: Stamped.io Product Reviews & UGC for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Missing Authorization
Patched Version: 4.2.3
Recommended Action: Update to version 4.2.3, or a newer patched version

Plugin: Smooth Scroll Links [SSL]

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clean Login

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.13.7
Recommended Action: Update to version 1.13.7, or a newer patched version

Plugin: WPML

Vulnerability: Authorization Bypass
Patched Version: 3.1.9.1
Recommended Action: Update to version 3.1.9.1, or a newer patched version

Plugin: WordPress PDF Light Viewer Plugin

Vulnerability: Authenticated Command Injection
Patched Version: 1.4.12
Recommended Action: Update to version 1.4.12, or a newer patched version

Plugin: Frontend File Manager Plugin

Vulnerability: Unauthenticated HTML Injection leading to Spam Emails
Patched Version: 18.3
Recommended Action: Update to version 18.3, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Cross-Site Request Forgery to Arbitrary Quiz Deletion and Copying
Patched Version: 1.3.2.5
Recommended Action: Update to version 1.3.2.5, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.7.10
Recommended Action: Update to version 2.7.10, or a newer patched version

Plugin: Login using WordPress Users ( WP as SAML IDP )

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version

Plugin: Add Shortcodes Actions And Filters

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10
Recommended Action: Update to version 2.10, or a newer patched version

Plugin: MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: Easy Forms for Mailchimp

Vulnerability: Authenticated (Administrator+) Cross-Site Scripting via Form Name
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version

Plugin: WP Abstracts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: WP Survey Plus

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: My Calendar – Accessible Event Manager

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.4.22
Recommended Action: Update to version 3.4.22, or a newer patched version

Plugin: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox

Vulnerability: Authenticated (edit_popups+) SQL Injection
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: Authenticated Blind SQL Injection
Patched Version: 1.5.64
Recommended Action: Update to version 1.5.64, or a newer patched version

Plugin: Team – Team Members Showcase Plugin

Vulnerability: WordPress Team Member Showcase Plugin <= 4.1.1
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Formzu WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.12.0
Recommended Action: Update to version 2.12.0, or a newer patched version

Plugin: Smarty for WordPress

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Paytium: Mollie payment forms & donations

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: pootle button

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated Stored Cross-Site Scripting via Shortcode
Patched Version: 4.16.3
Recommended Action: Update to version 4.16.3, or a newer patched version

Plugin: Menu Swapper

Vulnerability: Cross-Site Request Forgery Bypass
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Andrea Pernici News Sitemap for Google

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Share Buttons Plugin – AddThis

Vulnerability: Authenticated Cross-Site Scripting
Patched Version: 5.0.13
Recommended Action: Update to version 5.0.13, or a newer patched version

Plugin: Animate It!

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: GroupDocs.Comparison for Cloud

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘wpfc_remove_cdn_integration_ajax_request_callback’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Network Publisher

Vulnerability: Cross-Site Scripting
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.14.3
Recommended Action: Update to version 2.14.3, or a newer patched version

Plugin: Backend Localization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: wpCentral

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress HTTPS (SSL)

Vulnerability: Missing Authorization to Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: bbp style pack

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.5.6
Recommended Action: Update to version 5.5.6, or a newer patched version

Plugin: Limit Login Attempts (Spam Protection)

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: Calendar Event Multi View

Vulnerability: Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: WP-Banners-Lite

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce ESTO

Vulnerability: Cross-Site Request Forgery via saveSetting
Patched Version: 2.23.2
Recommended Action: Update to version 2.23.2, or a newer patched version

Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.0.44
Recommended Action: Update to version 2.0.44, or a newer patched version

Plugin: Trending/Popular Post Slider and Widget

Vulnerability: Cross-Site Request Forgery via wtpsw_post_view_count
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: WP Reroute Email

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend

Vulnerability: Privilege Escalation
Patched Version: 3.5.29
Recommended Action: Update to version 3.5.29, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Cross-Site Request Forgery via ic_system_status
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: IgniteUp – Coming Soon and Maintenance Mode

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 3.4.1
Recommended Action: Update to version 3.4.1, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Insufficient Authorization to Comment Submission on Deleted Posts
Patched Version: 7.6.11
Recommended Action: Update to version 7.6.11, or a newer patched version

Plugin: Adning Advertising

Vulnerability: Arbitrary File Upload
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: WD Instagram Feed Premium

Vulnerability: Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: ImageMagick Engine

Vulnerability: Cross-Site Request Forgery to PHAR Deserialization
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version

Plugin: Product Delivery Date for WooCommerce – Lite

Vulnerability: Missing Authorization
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: Canto

Vulnerability: Blind Server-Side Request Forgery via get.php
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘regenerateSitemaps’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Quiz Tool Lite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sticky Popup

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPCS – WordPress Currency Switcher Professional

Vulnerability: Cross-site request forgery
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Injection Guard

Vulnerability: Cross-Site Request Forgery via ig_update
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: TerraClassifieds – Simple Classifieds Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Subscription

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: MainWP Clone Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: WP Time Slots Booking Form

Vulnerability: Improper Authorization Checks
Patched Version: 1.1.83
Recommended Action: Update to version 1.1.83, or a newer patched version

Plugin: Social Feed | All social media in one place

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting]
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All Bootstrap Blocks

Vulnerability: Cross-Site Request Forgery to Plugin Settings Reset
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Interactive Medical Drawing of Human Body

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Thank You Counter Button

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Companion Sitemap Generator – HTML & XML

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version

Plugin: WP eCommerce

Vulnerability: SQL Injection
Patched Version: 3.8.7.6
Recommended Action: Update to version 3.8.7.6, or a newer patched version

Plugin: CommentTweets

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Private Messages

Vulnerability: Authenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: OneLogin SAML SSO

Vulnerability: Distributed Denial-of-Service
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: RSVP and Event Management

Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: 2.7.8
Recommended Action: Update to version 2.7.8, or a newer patched version

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Simple Mail Address Encoder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Button Generator – easily Button Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Educare – Students & Result Management System

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery in savetmplfile function
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version

Plugin: WP Symposium

Vulnerability: Unauthenticated SQL Injection
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version

Plugin: Activity Log – Monitor & Record User Changes

Vulnerability: Cross-Site Scripting
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: WordPress Related Posts

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: uContext for Clickbank

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Forms for Mailchimp

Vulnerability: Reflected Cross-Site Scripting via ‘sql_error’
Patched Version: 6.8.9
Recommended Action: Update to version 6.8.9, or a newer patched version

Plugin: WPSmartContracts

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.3.12
Recommended Action: Update to version 1.3.12, or a newer patched version

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Vulnerability: Privilege Escalation via Arbitrary User Meta Updates
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: 微信打赏(Wechat Reward)

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Availability Calendar

Vulnerability: Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Powie's WHOIS Domain Check

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 0.9.32
Recommended Action: Update to version 0.9.32, or a newer patched version

Plugin: ToTop Link

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mondial Relay & Chronopost plugin for WooCommerce – WCMultiShipping

Vulnerability: Missing Authorization to Log Export
Patched Version: 2.3.6
Recommended Action: Update to version 2.3.6, or a newer patched version

Plugin: Customify – Intuitive Website Styling

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery to WPForm/Blocks Import
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: W3 Total Cache

Vulnerability: File Read / Directory Traversal
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version

Plugin: WP-Paginate

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: IP Spoofing
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version

Core: WordPress

Vulnerability: Denial of Service via XML
Patched Version: 3.7.4
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.4, 3.8.4, 3.9.2

Plugin: Import any XML, CSV or Excel File to WordPress

Vulnerability: SQL Injection
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Referrer Detector

Vulnerability: PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Germanized for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.9.5
Recommended Action: Update to version 3.9.5, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Scripting
Patched Version: 7.1.19
Recommended Action: Update to version 7.1.19, or a newer patched version

Plugin: WP Extended Search

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Authenticated (Contributor+) SQL Injection via shortcode
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Post Gallery

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Lightbox & Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via name
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: YaySMTP – WP SMTP Plugin with Full Email Log & 15+ SMTP Services

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Core: WordPress

Vulnerability: Open Redirect
Patched Version: 3.7.30
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.30, 3.8.30, 3.9.28, 4.0.27, 4.1.27, 4.2.24, 4.3.20, 4.4.19, 4.5.18, 4.6.15, 4.7.14, 4.8.10, 4.9.11, 5.0.6, 5.1.2, 5.2.3

Plugin: Appointment Booking Calendar

Vulnerability: SQL Injection
Patched Version: 1.1.24
Recommended Action: Update to version 1.1.24, or a newer patched version

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Vulnerability: Custom Registration Forms, User Registration and User Login Plugin <= 4.6.0.2
Patched Version: 4.6.0.3
Recommended Action: Update to version 4.6.0.3, or a newer patched version

Plugin: Task Manager Pro – Task Management Plugin For WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: StatPressCN

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: directories

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.46
Recommended Action: Update to version 1.3.46, or a newer patched version

Plugin: This Day In History

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Relevanssi – A Better Search

Vulnerability: SQL Injection
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Cross-Site Scripting
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-CommentNavi

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.12.2
Recommended Action: Update to version 1.12.2, or a newer patched version

Plugin: Codup WooCommerce Dynamic Pricing Table View

Vulnerability: Stored Cross-Site Scripting
Patched Version: 1.2.1.5
Recommended Action: Update to version 1.2.1.5, or a newer patched version

Plugin: Ultimate Taxonomy Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Generator

Vulnerability: Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Uploading SVG, WEBP and ICO files

Vulnerability: Arbitrary File Upload
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Social Sharing Plugin – Social Warfare

Vulnerability: Missing Authorization
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: cformsII

Vulnerability: CAPTCHA Bypass
Patched Version: 14.11
Recommended Action: Update to version 14.11, or a newer patched version

Plugin: Mimetic Books

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BuddyPress

Vulnerability: Insufficient Input Validation
Patched Version: 6.4.0
Recommended Action: Update to version 6.4.0, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Cross-Site Scripting
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: LayerSlider

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Aspose.Words – Import and Export word documents

Vulnerability: Arbitrary File Download
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: IMDB Profile Widget

Vulnerability: Local File Inclusion
Patched Version: 1.0.9
Recommended Action: Update to version 1.0.9, or a newer patched version

Plugin: Laposta Signup Embed

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Stored Cross-Site Scripting
Patched Version: 7.3.7
Recommended Action: Update to version 7.3.7, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting via Shortcodes
Patched Version: 3.7.11
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1

Plugin: YourChannel: Everything you want in a YouTube plugin.

Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: 3CX Free Live Chat, Calls & WhatsApp

Vulnerability: Local File Inclusion
Patched Version: 9.4.3
Recommended Action: Update to version 9.4.3, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Missing Authorization to User Points Updates
Patched Version: 2.5.7
Recommended Action: Update to version 2.5.7, or a newer patched version

Plugin: Zippy

Vulnerability: Authenticated (Contributor+) Sensitive Information Disclosure
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Author+) Server-Side Request Forgery via URL
Patched Version: 2.10.24
Recommended Action: Update to version 2.10.24, or a newer patched version

Plugin: Appointment Hour Booking – WordPress Booking Plugin

Vulnerability: Missing Authorization
Patched Version: 1.3.72
Recommended Action: Update to version 1.3.72, or a newer patched version

Plugin: WooCommerce Stripe Payment Gateway

Vulnerability: Missing Authorization
Patched Version: 7.4.1
Recommended Action: Update to version 7.4.1, or a newer patched version

Plugin: Tawk.To Live Chat

Vulnerability: Missing Authorization to Visitor Monitoring & Chat Removal
Patched Version: 0.6.0
Recommended Action: Update to version 0.6.0, or a newer patched version

Plugin: track-that-stat

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Insecure Password Reset Mechanism
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor

Vulnerability: Missing Authorization via ‘data/update’ API Endpoint
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: Apollo13 Framework Extensions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: WP Activity Log Premium

Vulnerability: Cross-Site Request Forgery via ajax_switch_db
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: WordPress Multisite User Sync/Unsync (Premium)

Vulnerability: No subtitle
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: ElasticPress

Vulnerability: Remote Code Execution
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version

Plugin: EZP Coming Soon Page

Vulnerability: Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Laybuy Payment Extension for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Redirection

Vulnerability: Missing Authorization in ‘SaveSettings’ function
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Accordion and Accordion Slider

Vulnerability: Missing Authorization via ‘wp_aas_get_attachment_edit_form’ and ‘wp_aas_save_attachment_data’
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: SB Uploader

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Import Export Lite

Vulnerability: Unauthenticated Sensitive Data Disclosure
Patched Version: 3.9.16
Recommended Action: Update to version 3.9.16, or a newer patched version

Plugin: Email Log

Vulnerability: Admin+ SQL Injection
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: WP-Cirrus

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Submissions

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.4.9.9
Recommended Action: Update to version 1.4.9.9, or a newer patched version

Plugin: Pricing Deals for WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Ovic Responsive WPBakery

Vulnerability: Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Download Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.22
Recommended Action: Update to version 3.1.22, or a newer patched version

Plugin: iPages Flipbook For WordPress

Vulnerability: Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version

Plugin: Easy Digital Downloads – Conditional Success Redirects

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: PDF.js Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version

Plugin: Hide My WP Ghost – Security & Firewall

Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched Version: 5.0.20
Recommended Action: Update to version 5.0.20, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.19
Recommended Action: Update to version 8.1.19, or a newer patched version

Plugin: Classified Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Authentication Bypass
Patched Version: 3.7.8
Recommended Action: Update to version 3.7.8, or a newer patched version

Plugin: Client Portal : SuiteDash Direct Login

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Social Bar

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Portfolio for Elementor & Image Gallery | PowerFolio

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Twitget

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.3
Recommended Action: Update to version 3.3.3, or a newer patched version

Plugin: Haxcan

Vulnerability: Authenticated (Admin+) Path Traversal to Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Secure HTML5 Video Player

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.7.9
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.9, 3.8.9, 3.9.7, 4.0.6, 4.1.6, 4.2.3

Plugin: Indeed Membership Pro

Vulnerability: Arbitrary File Upload
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: WP Fastest Cache

Vulnerability: Cross-Site Request Forgery via ‘deleteCssAndJsCacheToolbar’
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: Loco Translate

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Authorize.net Add-on for iThemes Exchange

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin

Vulnerability: SQL Injection
Patched Version: 1.3.59
Recommended Action: Update to version 1.3.59, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.18
Recommended Action: Update to version 5.4.18, or a newer patched version

Plugin: Thrive Automator

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.17.1
Recommended Action: Update to version 1.17.1, or a newer patched version

Plugin: Login Screen Manager

Vulnerability: Authenticated(Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Toolset Types – Custom Post Types, Custom Fields and Taxonomies

Vulnerability: Cross-Site Scripting
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: BadgeOS

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.7.1.3
Recommended Action: Update to version 3.7.1.3, or a newer patched version

Plugin: 12 Step Meeting List

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.14.25
Recommended Action: Update to version 3.14.25, or a newer patched version

Plugin: WP Helper Premium

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Custom Login Page Styler

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 5.2.9
Recommended Action: Update to version 5.2.9, or a newer patched version

Plugin: Appointment Booking Calendar

Vulnerability: SQL Injection
Patched Version: 1.2.25
Recommended Action: Update to version 1.2.25, or a newer patched version

Plugin: BP Group Documents

Vulnerability: Path Traversal
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WooFramework Tweaks

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Themify Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)

Vulnerability: Reflected Cross-Site Scripting via effects
Patched Version: 9.7.1
Recommended Action: Update to version 9.7.1, or a newer patched version

Plugin: Rich Widget

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Members Membership Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version

Plugin: Zeno Font Resizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version

Plugin: Nested Pages

Vulnerability: Stored Cross-Site Scripting
Patched Version: 3.1.21
Recommended Action: Update to version 3.1.21, or a newer patched version

Plugin: bSuite

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 5 alpha 3
Recommended Action: Update to version 5 alpha 3, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization via wpas_edit_reply_ajax()
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Core: WordPress

Vulnerability: Stored Cross-Site Scripting via File Uploads
Patched Version: 3.7.28
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.28, 3.8.28, 3.9.26, 4.0.25, 4.1.25, 4.2.22, 4.3.18, 4.4.17, 4.5.16, 4.6.13, 4.7.12, 4.8.8, 4.9.9, 5.0.1

Plugin: Contact Form and Calls To Action by vcita

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: WPB Show Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Oceanwp sticky header

Vulnerability: Cross-Site Request Forgery to Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Download Manager

Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 3.2.55
Recommended Action: Update to version 3.2.55, or a newer patched version

Plugin: BMI BMR Calculator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quiz Maker

Vulnerability: Content Spoofing
Patched Version: 6.3.9.5
Recommended Action: Update to version 6.3.9.5, or a newer patched version

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.9.12.30
Recommended Action: Update to version 5.9.12.30, or a newer patched version

Plugin: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Vulnerability: Authorization Bypass and Cross-Site Request Forgery
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Archivist – Custom Archive Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.5
Recommended Action: Update to version 1.7.5, or a newer patched version

Plugin: MailerLite – Signup forms (official)

Vulnerability: Signup forms <= 1.5.3
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Cross-Site Scripting
Patched Version: 14.6
Recommended Action: Update to version 14.6, or a newer patched version

Core: WordPress

Vulnerability: Shortcode Execution in User Generated Content
Patched Version: 5.9.7
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.7, 6.0.5, 6.1.3, 6.2.2

Plugin: JS Job Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Crazy Bone

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WIP Custom Login

Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Gift Up Gift Cards for WordPress and WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.20.2
Recommended Action: Update to version 2.20.2, or a newer patched version

Plugin: Simple YouTube Responsive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Books & Papers

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.20220219
Recommended Action: Update to version 0.20220219, or a newer patched version

Plugin: Wp-Hide

Vulnerability: Missing Authorization to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Consultant

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quiz Maker

Vulnerability: Missing Authorization
Patched Version: 6.5.1.2
Recommended Action: Update to version 6.5.1.2, or a newer patched version

Plugin: WP Page Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: Dynamically Register Sidebars

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Loginizer

Vulnerability: Reflected Cross-Site Scripting via ‘limit_session[count]’
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: Dynamic Visibility for Elementor

Vulnerability: Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version

Plugin: Insert Pages

Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Plugin: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Vulnerability: Authorization Bypass to Blocking Control Bypass
Patched Version: 1.9.10.69
Recommended Action: Update to version 1.9.10.69, or a newer patched version

Plugin: POEditor

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.9.5
Recommended Action: Update to version 0.9.5, or a newer patched version

Plugin: MultiParcels Shipping For WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.15.2
Recommended Action: Update to version 1.15.2, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.9.9
Recommended Action: Update to version 2.9.9, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Missing Authorization via AJAX actions
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: Convertful – Your Ultimate On-Site Conversion Tool

Vulnerability: Missing Authorization via add_woo_coupon
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: phpinfo() WP

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.0
Recommended Action: Update to version 5.0, or a newer patched version

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.16.11
Recommended Action: Update to version 1.16.11, or a newer patched version

Plugin: Bootstrap Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tajer

Vulnerability: Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HashThemes Demo Importer

Vulnerability: Missing Authorization to Database Wipe
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Modern Events Calendar Lite

Vulnerability: Reflected Cross-Site Scripting via current_month_divider parameter
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: WP-RSS-Spreadshirt-3DCube-Gallery

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version

Plugin: WP-EMail

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 2.67.3
Recommended Action: Update to version 2.67.3, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.4
Recommended Action: Update to version 4.4.4, or a newer patched version

Plugin: CHP Ads Block Detector

Vulnerability: Missing Authorization to Plugin Settings Update
Patched Version: 3.9.8
Recommended Action: Update to version 3.9.8, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Cross-Site Scripting
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: HT Portfolio – WordPress Portfolio Plugin for Elementor

Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Scripts Organizer

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Abandoned Cart Lite for WooCommerce

Vulnerability: Improper Authorization via wcal_preview_emails
Patched Version: 5.16.1
Recommended Action: Update to version 5.16.1, or a newer patched version

Plugin: Participants Database

Vulnerability: SQL Injection
Patched Version: 1.9.5.6
Recommended Action: Update to version 1.9.5.6, or a newer patched version

Plugin: WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log

Vulnerability: Missing Authorization leading to Authenticated (Subscriber+) Authorization Bypass
Patched Version: 3.43
Recommended Action: Update to version 3.43, or a newer patched version

Plugin: WPML

Vulnerability: Missing Authorization to Translation Job Status Change
Patched Version: 4.5.11
Recommended Action: Update to version 4.5.11, or a newer patched version

Plugin: WORDPRESS VIDEO GALLERY

Vulnerability: Cross-Site Scripting
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.3.5
Recommended Action: Update to version 6.3.5, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Stored Cross-Site Scripting
Patched Version: 2.3.7
Recommended Action: Update to version 2.3.7, or a newer patched version

Plugin: wordpress-form-manager

Vulnerability: Authenticated Remote Command Execution
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Cookie Monster

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Dynamic Pricing for WooCommerce

Vulnerability: Cross-Site Request Forgery via migrateProductOnlyToCommon function
Patched Version: 4.1.6
Recommended Action: Update to version 4.1.6, or a newer patched version

Plugin: WP-T-Wap

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Authenticated (Admin+) Arbitrary File Read via Directory Traversal
Patched Version: 5.5.4.1
Recommended Action: Update to version 5.5.4.1, or a newer patched version

Plugin: lasTunes

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Facebook Page Photo Gallery

Vulnerability: Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MC4WP: Mailchimp for WordPress

Vulnerability: Missing Authorization via listen
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version

Plugin: TNIT Filter Gallery Plugin

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 0.0.7
Recommended Action: Update to version 0.0.7, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version

Plugin: WP Custom Author URL

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.12.23
Recommended Action: Update to version 2.12.23, or a newer patched version

Plugin: Product Catalog Simple

Vulnerability: Sensitive Information Exposure via Product CSV
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Sharebar

Vulnerability: Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Custom Field For WP Job Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Missing Authorization in ‘checkAllCategoryInSitemap’
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.13
Recommended Action: Update to version 3.13, or a newer patched version

Plugin: Download Monitor

Vulnerability: Authenticated Directory Traversal to Sensitive Information Exposure
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Auto Upload Images

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Auto More Tag

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SupportFlow

Vulnerability: Cross-Site Scripting via a ticket excerpt.
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version

Plugin: MashShare – Social Media Share Buttons, Social Share Icons

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 6.6.13
Recommended Action: Update to version 6.6.13, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Stored Cross-Site Scripting via Import
Patched Version: 3.35.0
Recommended Action: Update to version 3.35.0, or a newer patched version

Core: WordPress

Vulnerability: Arbitrary File Upload
Patched Version: 2.5.2
Recommended Action: Update to version 2.5.2, or a newer patched version

Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Vulnerability: Unauthenticated Arbitrary Options Update
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version

Plugin: Under Construction

Vulnerability: Cross-Site Request Forgery via admin_action_install_weglot
Patched Version: 3.97
Recommended Action: Update to version 3.97, or a newer patched version

Plugin: Cosmetsy Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Portfolio Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.05
Recommended Action: Update to version 1.05, or a newer patched version

Plugin: Ray Enterprise Translation

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.9
Recommended Action: Update to version 1.1.9, or a newer patched version

Plugin: AdPush

Vulnerability: Multiple Cross-Site Scripting
Patched Version: 1.44
Recommended Action: Update to version 1.44, or a newer patched version

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.13.30
Recommended Action: Update to version 7.13.30, or a newer patched version

Core: WordPress

Vulnerability: Cross-Site Scripting
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: World Travel Information

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 301 Redirects – Easy Redirect Manager

Vulnerability: Easy Redirect Manager <= 2.40
Patched Version: 2.45
Recommended Action: Update to version 2.45, or a newer patched version

Plugin: Visual Form Builder

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Woocommerce Follow-ups

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.50
Recommended Action: Update to version 4.9.50, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via html_tag
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 3.7.5
Recommended Action: Update to version 3.7.5, or a newer patched version

Plugin: Job Manager

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.7.25
Recommended Action: Update to version 0.7.25, or a newer patched version

Core: WordPress

Vulnerability: Security Hardening
Patched Version: 3.1.3
Recommended Action: Update to version 3.1.3, or a newer patched version

Plugin: Image Compressor & Optimizer – iLoveIMG

Vulnerability: iLoveIMG <= 1.0.5
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: LiveSync for WordPress

Vulnerability: Cross-Site Request Forgery to Arbitrary Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please rev