Watch Out Wednesday – January 29, 2025

Home » Watch Out Wednesday – January 29, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: LH Email

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chess Tempo Viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: RomethemeKit For Elementor

Vulnerability: Missing Authorization
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Lijit Search

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.4.10
Recommended Action: Update to version 4.4.10, or a newer patched version

Plugin: Top Flash Embed

Plugin: QuoteMedia Tools

Plugin: WordPress Google Map Professional (Map In Your Language)

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Flexmls® IDX Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via API parameters
Patched Version: 3.14.27
Recommended Action: Update to version 3.14.27, or a newer patched version

Plugin: Ketchup Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.2.1
Recommended Action: Update to version 0.2.1, or a newer patched version

Plugin: NOTICE BOARD BY TOWKIR

Plugin: XML for Google Merchant Center

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.12
Recommended Action: Update to version 3.0.12, or a newer patched version

Plugin: FV Thoughtful Comments

Vulnerability: Missing Authorization
Patched Version: 0.3.6
Recommended Action: Update to version 0.3.6, or a newer patched version

Plugin: Gallery and Lightbox

Plugin: root Cookie

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy EU Cookie law

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Restrict Anonymous Access

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WR Price List Manager For Woocommerce

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: VR-Frases (collect & share quotes)

Plugin: WP Duplicate – WordPress Migration Plugin

Vulnerability: Missing Authorization
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Easy YouTube Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Google Org Chart

Plugin: Ask Me Anything (Anonymously)

Plugin: Metaphor Widgets

Plugin: Picture Gallery – Frontend Image Uploads, AJAX Photo List

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.20
Recommended Action: Update to version 1.5.20, or a newer patched version

Plugin: WordPress HelpDesk & Support Ticket System Plugin – Octrace Support

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rio Photo Gallery

Plugin: GravatarLocalCache

Plugin: FAT Event Lite

Plugin: AI Power: Complete AI Pack

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: RSVP and Event Management

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.7.15
Recommended Action: Update to version 2.7.15, or a newer patched version

Plugin: WP Fast Total Search – The Power of Indexed Search

Vulnerability: Missing Authorization
Patched Version: 1.79.262
Recommended Action: Update to version 1.79.262, or a newer patched version

Plugin: Ajax Contact Form

Plugin: MeinTurnierplan.de Widget Viewer

Plugin: Neon Product Designer

Plugin: ThemeREX Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 2.34.0
Recommended Action: Update to version 2.34.0, or a newer patched version

Plugin: Unique UX

Plugin: PDF.js Shortcode

Plugin: WP Headmaster

Plugin: Import Users to MailChimp

Plugin: Gallery: Hybrid – Advanced Visual Gallery

Plugin: Marmoset Viewer

Plugin: Hack me if you can

Plugin: Target Video Easy Publish

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: brodos.net Onlineshop Plugin

Plugin: WPBookit

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.6.10
Recommended Action: Update to version 1.6.10, or a newer patched version

Plugin: Subscription DNA®

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Contact Form Email

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.53
Recommended Action: Update to version 1.3.53, or a newer patched version

Plugin: Admin and Site Enhancements (ASE)

Vulnerability: Missing Authorization
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: Admin Menu Organizer

Plugin: WooCommerce Cloak Affiliate Links

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.36
Recommended Action: Update to version 1.0.36, or a newer patched version

Plugin: Simple Gallery with Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: WooCommerce Order Search

Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.32
Recommended Action: Update to version 3.1.32, or a newer patched version

Plugin: UpDownUpDown

Plugin: Social Proof Popups & Real-Time Notifications – Herd Effects

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 6.2.2
Recommended Action: Update to version 6.2.2, or a newer patched version

Plugin: Secure CAPTCHA

Plugin: pootle button

Plugin: ElementsKit Pro

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter
Patched Version: 3.7.9
Recommended Action: Update to version 3.7.9, or a newer patched version

Plugin: Bit.ly linker

Plugin: Altima Lookbook Free for WooCommerce

Vulnerability: Refletced Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: wp-pano

Plugin: Foundation Columns

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.16.6
Recommended Action: Update to version 3.16.6, or a newer patched version

Plugin: Category D3 Tree

Plugin: Bubble Menu – Sticky Navigation with Floating Button Menu Solution

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Boom Fest

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Giveaways and Contests by PromoSimple

Plugin: MHR-Custom-Anti-Copy

Plugin: Connections Business Directory

Vulnerability: Authenticated (Admin+) Arbitrary Directory Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Shortcode in Comment

Plugin: WP Photo Sphere

Plugin: WP Visitor Statistics (Real Time Traffic)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.3
Recommended Action: Update to version 7.3, or a newer patched version

Plugin: My auctions allegro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.19
Recommended Action: Update to version 3.6.19, or a newer patched version

Plugin: Rename Author Slug

Plugin: Twitter Bootstrap Collapse aka Accordian Shortcode

Plugin: Nite Shortcodes

Plugin: Homey Login Register

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Solidres – Hotel booking plugin for WordPress

Plugin: Xagio SEO – AI Powered Optimization

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.0.0.21
Recommended Action: Update to version 7.0.0.21, or a newer patched version

Plugin: GMAPS for WPBakery Page Builder Free

Plugin: WP Hotel Booking

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: LocalGrid

Plugin: LH Login Page

Plugin: Post Duplicator

Vulnerability: Authenticated (Contributor+) Protected Post Disclosure
Patched Version: 2.37
Recommended Action: Update to version 2.37, or a newer patched version

Plugin: FP RSS Category Excluder

Plugin: Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: Quick Count

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.81
Recommended Action: Update to version 2.2.81, or a newer patched version

Plugin: Custom Product Tabs Lite for WooCommerce

Vulnerability: Authenticated (Shop Manager+) PHP Object Injection
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 33.0.9
Recommended Action: Update to version 33.0.9, or a newer patched version

Plugin: Easy Portfolio

Plugin: Partners

Plugin: Mindmeister Shortcode

Plugin: HelloAsso

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.12
Recommended Action: Update to version 1.1.12, or a newer patched version

Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Vulnerability: Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler()
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: FAQ Builder AYS

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.4
Recommended Action: Update to version 1.7.4, or a newer patched version

Plugin: WP-Player

Plugin: Paytium: Mollie payment forms & donations

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 4.4.12
Recommended Action: Update to version 4.4.12, or a newer patched version

Plugin: Power Ups for Elementor

Plugin: Real Seguro Viagem

Plugin: AI Chatbot for WordPress – Hyve Lite

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Send to Twitter

Plugin: Incredible Font Awesome

Plugin: Precious Metals Charts and Widgets for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Wise Forms

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: wp_amaps

Plugin: Caching Compatible Cookie Opt-In and JavaScript

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.0.11
Recommended Action: Update to version 0.0.11, or a newer patched version

Plugin: Related Post Shortcode

Plugin: Preloader Quotes

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.0.41
Recommended Action: Update to version 9.0.41, or a newer patched version

Plugin: 12 Step Meeting List

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.16.6
Recommended Action: Update to version 3.16.6, or a newer patched version

Plugin: Annie

Plugin: Hotspots Analytics

Plugin: Annie

Plugin: Post Carousel & Slider

Plugin: Brizy Pro

Plugin: Image Gallery Box by CRUDLab

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Horizontal Line Shortcode

Plugin: Taskbuilder – WordPress Project & Task Management plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Track Logins

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chained Quiz

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Simple Downloads List

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Customizable Captcha and Contact us

Plugin: Free MailClient FMC

Plugin: GMap Shortcode

Plugin: WP Google Street View (with 360° virtual tour) & Google maps + Local SEO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WP Post Corrector

Plugin: Post & Page Notes

Plugin: Ultimate Coming Soon & Maintenance

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Ketchup Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.2.1
Recommended Action: Update to version 0.2.1, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates

Vulnerability: Missing Authorization to Spexo Theme Install
Patched Version: 1.0.15
Recommended Action: Update to version 1.0.15, or a newer patched version

Plugin: Gutenberg Blocks and Page Layouts – Attire Blocks

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.7
Recommended Action: Update to version 1.9.7, or a newer patched version

Plugin: Menus Plus+

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: All Post Contact Form

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP ViewSTL

Plugin: Side Menu Lite – add sticky fixed buttons

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version

Plugin: Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements

Plugin: OrangeBox

Plugin: Smaily for WP

Plugin: Easy Shortcode Buttons

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via gamipress_ajax_get_logs Function
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: Daily Proverb

Plugin: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.5.15
Recommended Action: Update to version 8.5.15, or a newer patched version

Plugin: Links/Problem Reporter

Plugin: Instant Appointment

Plugin: HTTP to HTTPS link changer by Eyga.net

Plugin: AI Power: Complete AI Pack

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: Email Subscription Popup

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.2.24
Recommended Action: Update to version 1.2.24, or a newer patched version

Plugin: WP Lyrics

Plugin: Image Switcher

Plugin: DD Roles

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Nativery Plugin

Plugin: Hide Category by User Role for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Greek Namedays Widget From Eortologio.Net

Plugin: Skyword XMLRPC publishing

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: WP Order By

Plugin: Kopa Nictitate Toolkit

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2.14
Recommended Action: Update to version 4.2.14, or a newer patched version

Plugin: Premium Packages – Sell Digital Products Securely

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 5.9.7
Recommended Action: Update to version 5.9.7, or a newer patched version

Plugin: VikAppointments Services Booking Calendar

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version

Plugin: WooCommerce Quick View

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Authenticated (Admin+) PHP Object Injection via wpaicg_export_prompts
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: Job Board Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.60
Recommended Action: Update to version 2.1.60, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name
Patched Version: 4.2.7.5.1
Recommended Action: Update to version 4.2.7.5.1, or a newer patched version

Plugin: Product Table by WBW

Vulnerability: Unuthenticated SQL Injection
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Post-to-Post Links

Plugin: LSD Google Maps Embedder

Vulnerability: Cross-Site Request Forgery Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy FAQs

Plugin: Listamester

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.5
Recommended Action: Update to version 2.3.5, or a newer patched version

Plugin: JB Horizontal Scroller News Ticker

Plugin: Posts Footer Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Activity Plus Reloaded for BuddyPress

Vulnerability: Authenticated (Subscriber+) Blind Server-Side Request Forgery
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Themify Builder

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.6
Recommended Action: Update to version 7.6.6, or a newer patched version

Plugin: HireHive Job Plugin

Plugin: Mass Custom Fields Manager

Plugin: Comment Edit Core – Simple Comment Editing

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Variation Swatches for WooCommerce

Vulnerability: 1.3.2
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Advanced Data Table for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Chalet-Montagne.com Tools

Plugin: Ajax WP Query Search Filter

Plugin: Ekiline Block Collection

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Quiz Maker Developer

Vulnerability: Reflected DOM-Based Cross-Site Scripting via content
Patched Version: 21.8.0.100
Recommended Action: Update to version 21.8.0.100, or a newer patched version

Plugin: VikBooking Hotel Booking Engine & PMS

Vulnerability: Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Sticky Buttons – floating buttons builder

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: WP VTiger Synchronization

Plugin: WordPress SEO Friendly Accordion FAQ with AI assisted content generation

Plugin: WP Custom Google Search

Plugin: Compare Ninja: Create Professional Comparison Tables and Easily Add Them to Your Website

Plugin: WP Meetup

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.10.1
Recommended Action: Update to version 1.10.1, or a newer patched version

Plugin: jAlbum Bridge

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter
Patched Version: 2.0.17
Recommended Action: Update to version 2.0.17, or a newer patched version

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: SmartEmailing

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Verge3D Publishing and E-Commerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version

Plugin: BMLT Meeting Map

Plugin: Product Size Charts Plugin for WooCommerce

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.1.10
Recommended Action: Update to version 6.1.10, or a newer patched version

Plugin: Jet Skinner for BuddyPress

Plugin: WordPress CRM Plugin – WP-CRM System

Vulnerability: Missing Authorization
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Membership Plugin – Restrict Content

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 3.2.14
Recommended Action: Update to version 3.2.14, or a newer patched version

Plugin: Magic Google Maps

Plugin: Uptodown APK Download Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.1.11
Recommended Action: Update to version 0.1.11, or a newer patched version

Plugin: Responsive jQuery Slider

Plugin: Build Private Store For Woocommerce

Vulnerability: Missing Authorization
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.4.11
Recommended Action: Update to version 3.4.11, or a newer patched version

Plugin: Powie's pLinks PagePeeker

Plugin: Multiple Page Generator Plugin – MPG

Vulnerability: Authenticated (Editor+) Server-Side Request Forgery via fileUrl
Patched Version: 4.0.6
Recommended Action: Update to version 4.0.6, or a newer patched version

Plugin: ThemeREX Addons

Vulnerability: Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data
Patched Version: 2.34.0
Recommended Action: Update to version 2.34.0, or a newer patched version

Plugin: Avada (Fusion) Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets
Patched Version: 3.11.12
Recommended Action: Update to version 3.11.12, or a newer patched version

Plugin: Internal Links Manager

Vulnerability: Missing Authorization
Patched Version: 2.5.3
Recommended Action: Update to version 2.5.3, or a newer patched version

Plugin: Stars SMTP Mailer

Plugin: Kapost

Plugin: MyAnime Widget

Vulnerability: Cross-Site Request Forgery to Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SetMore Theme – Custom Post Types

Plugin: Plethora Plugins Tabs + Accordions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Magic the Gathering Card Tooltips

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Easy Code Snippets

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MemeOne

Plugin: WooCommerce Product Table Lite

Vulnerability: Missing Authorization
Patched Version: 3.9.0
Recommended Action: Update to version 3.9.0, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1.9
Recommended Action: Update to version 5.1.9, or a newer patched version

Plugin: WordPress File Search

Plugin: Linear

Vulnerability: Cross-Site Request Forgery to Cache Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: FontAwesome.io ShortCodes

Plugin: Popup Box: Create Popups Easily

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: Yet Another Countdown Plugin

Plugin: IP2Location Country Blocker

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.38.4
Recommended Action: Update to version 2.38.4, or a newer patched version

Plugin: Easy Tweet Embed

Plugin: Web Testimonials

Plugin: WordPress Gallery Plugin

Plugin: MD Custom content after or before of post

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Missing Authorization
Patched Version: 3.3.2
Recommended Action: Update to version 3.3.2, or a newer patched version

Plugin: Call Now Button – The #1 Click to Call Button for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.14
Recommended Action: Update to version 1.4.14, or a newer patched version

Plugin: Captchelfie – Captcha by Selfie

Plugin: SERPed.net

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: WordPress Data Guard [Website Security]

Plugin: Enhanced YouTube Shortcode

Plugin: WP Panoramio

Plugin: Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: QR Code Generator

Plugin: LearnDash LMS

Vulnerability: Missing Authorization
Patched Version: 4.20.0.3
Recommended Action: Update to version 4.20.0.3, or a newer patched version

Plugin: imaGenius

Plugin: Shockingly Big IE6 Warning

Plugin: Floatbox Plus

Plugin: GDY Modular Content

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.93
Recommended Action: Update to version 0.9.93, or a newer patched version

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.10.14
Recommended Action: Update to version 1.10.14, or a newer patched version

Plugin: WPBot Pro WordPress Chatbot

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Simple Text Response Creation
Patched Version: 13.5.6
Recommended Action: Update to version 13.5.6, or a newer patched version

Plugin: 301 SEO REDIRECTION | COUNTRY BASED REDIRECTION [ REDIRECTION PLUS ]

Plugin: More Link Modifier

Plugin: Thim Elementor Kit

Vulnerability: Missing Authorization
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Progress Tracker

Plugin: Orbisius Simple Notice

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.2
Recommended Action: Update to version 4.2, or a newer patched version

Plugin: Tainacan

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 0.21.13
Recommended Action: Update to version 0.21.13, or a newer patched version

Plugin: Rollover Tab

Plugin: WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 8.53.0
Recommended Action: Update to version 8.53.0, or a newer patched version

Plugin: EZPlayer

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Missing Authorization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: Linet ERP-Woocommerce Integration Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version

Plugin: Strx Magic Floating Sidebar Maker

Plugin: Plethora Plugins Tabs + Accordions

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via anchor
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Scroll Top Advanced – Scroll to ID or Class

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Review Deletion
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Form Builder CP

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.42
Recommended Action: Update to version 1.2.42, or a newer patched version

Plugin: WP Fast Total Search – The Power of Indexed Search

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.79.262
Recommended Action: Update to version 1.79.262, or a newer patched version

Plugin: Post Duplicator

Vulnerability: Missing Authorization
Patched Version: 2.36
Recommended Action: Update to version 2.36, or a newer patched version

Plugin: bonjour-bar

Plugin: Social Analytics

Plugin: FAT Event Lite

Plugin: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.2.0
Recommended Action: Update to version 9.2.0, or a newer patched version

Plugin: WCS QR Code Generator

Plugin: RSV GMaps

Plugin: Button Generator – easily Button Builder

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Quiz Maker Developer

Vulnerability: Unauthenticated SQL Injection via id
Patched Version: 21.8.0.100
Recommended Action: Update to version 21.8.0.100, or a newer patched version

Plugin: Stripe and PayPal Payment Forms for WordPress – PayForm

Plugin: BizLibrary

Plugin: Hero Banner Ultimate

Vulnerability: Authenticated (Author+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Translation.Pro

Plugin: Twitter Shortcode

Plugin: Divi Carousel Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Logo Carousel Widgets
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: MailUp Auto Subscription

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Zarinpal Paid Download

Plugin: Explara Membership

Plugin: Sellsy

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Form Builder CP

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.42
Recommended Action: Update to version 1.2.42, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Subscriber+) Open Redirect
Patched Version: 4.2.7.2
Recommended Action: Update to version 4.2.7.2, or a newer patched version

Plugin: EditionGuard for WooCommerce – eBook Sales with DRM

Plugin: NV Slider

Plugin: Find Your Reps

Plugin: Pastebin

Plugin: SEO Blogger to WordPress Migration using 301 Redirection

Plugin: WP-Revive Adserver

Plugin: Create with Code

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Auction Nudge – Your eBay on Your Site

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.2.1
Recommended Action: Update to version 7.2.1, or a newer patched version

Plugin: GDPR CCPA Compliance & Cookie Consent Banner

Vulnerability: Missing Authorization
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Universal Analytics Injector

Plugin: Genki Announcement

Plugin: Flexible PDF Coupons – Gift Cards & Vouchers for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.10.3
Recommended Action: Update to version 1.10.3, or a newer patched version

Plugin: Web Push

Plugin: Eventer – WordPress Event & Booking Manager Plugin

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Cliptakes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Course Booking System

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SimplyRETS Real Estate IDX

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Mass Messaging in BuddyPress

Plugin: Simple Custom post type custom field

Plugin: WordPress Logging Service

Plugin: WP-Announcements

Plugin: Bookalet

Plugin: Admin and Site Enhancements (ASE) Pro

Vulnerability: Missing Authorization
Patched Version: 7.6.3
Recommended Action: Update to version 7.6.3, or a newer patched version

Plugin: Winning Portfolio

Plugin: User Management

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ElementInvader Addons for Elementor

Vulnerability: Missing Authorization
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Word Freshener

Plugin: Marquee Style RSS News Ticker

Plugin: Broadstreet

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via zone Parameter
Patched Version: 1.51.1
Recommended Action: Update to version 1.51.1, or a newer patched version

Plugin: ShMapper by Teplitsa

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: dForms

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Bug Library

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: Super block slider – Responsive image & content slider

Vulnerability: Missing Authorization
Patched Version: 2.8
Recommended Action: Update to version 2.8, or a newer patched version

Plugin: People Lists

Vulnerability: Missing Authorization
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: Contact Form 7 Round Robin Lead Distribution

Plugin: WP-BlackCheck

Plugin: Simple Vertical Timeline

Plugin: Modal Window – create popup modal window

Vulnerability: Cross-Site Request Forgery to Settings Ipdate
Patched Version: 6.1.5
Recommended Action: Update to version 6.1.5, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.7.1
Recommended Action: Update to version 3.7.1, or a newer patched version

Plugin: WP Contact Form7 Email Spam Blocker

Plugin: WP-Polls

Vulnerability: Unauthenticated SQL Injection to Stored Cross-Site Scripting
Patched Version: 2.77.3
Recommended Action: Update to version 2.77.3, or a newer patched version

Plugin: GSheetConnector for Forminator Forms

Plugin: Masy Gallery

Plugin: Wishlist for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Etsy Importer

Plugin: Extra Options – Favicons

Plugin: SOCIAL.NINJA

Plugin: Weaver Themes Shortcode Compatibility

Plugin: GDReseller

Plugin: Geotagged Media

Plugin: AI Power: Complete AI Pack

Vulnerability: Authenticated (Admin+) PHP Object Injection via wpaicg_export_ai_forms
Patched Version: 1.8.97
Recommended Action: Update to version 1.8.97, or a newer patched version

Plugin: Team Member – Multi Language Supported Team Plugin

Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: 7.5
Recommended Action: Update to version 7.5, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Philantro – Donations and Donor Management

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via donate Shortcode
Patched Version: 5.4
Recommended Action: Update to version 5.4, or a newer patched version

Plugin: CoDesigner – All in One Elementor WooCommerce Builder

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Event post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.8
Recommended Action: Update to version 5.9.8, or a newer patched version

Plugin: Stackable – Page Builder Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.13.12
Recommended Action: Update to version 3.13.12, or a newer patched version

Plugin: ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: BSK Forms Blacklist

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Plugin: BMLT Meeting Map

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Simple Download Monitor

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.9.26
Recommended Action: Update to version 3.9.26, or a newer patched version

Plugin: mybb Last Topics

Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Vulnerability: Authenticated (Shop Manager+) Stored Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: RSVPMaker

Vulnerability: Missing Authorization
Patched Version: 11.4.6
Recommended Action: Update to version 11.4.6, or a newer patched version

Plugin: Lifetime free Drag & Drop Contact Form Builder for WordPress VForm

Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Vulnerability: Authenticated (Admin+) Sever-Side Request Forgery
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: Amber

Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.4.13
Recommended Action: Update to version 3.4.13, or a newer patched version

Plugin: Blur Text

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: “Visit Site” Link enhanced – WordPress PlugIn

Plugin: Image Source Control Lite – Show Image Credits and Captions

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.29.1
Recommended Action: Update to version 2.29.1, or a newer patched version

Plugin: Nested Pages

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.10
Recommended Action: Update to version 3.2.10, or a newer patched version

Plugin: Stop Comment Spam

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.5.4
Recommended Action: Update to version 0.5.4, or a newer patched version

Plugin: OWL Carousel Slider

Plugin: KBucket: Your Curated Content in WordPress

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.2.2
Recommended Action: Update to version 4.2.2, or a newer patched version

Plugin: Style Admin

Plugin: RomethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Bridge Core

Vulnerability: Missing Authorization
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: PDF Invoices for WooCommerce + Drag and Drop Template Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.7.0
Recommended Action: Update to version 4.7.0, or a newer patched version

Plugin: Custom CSS Addons

Plugin: WP ULike – All-in-One Engagement Toolkit

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.7
Recommended Action: Update to version 4.7.7, or a newer patched version

Plugin: List category posts

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 0.90.3
Recommended Action: Update to version 0.90.3, or a newer patched version

Plugin: Roi Calculator

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1
Recommended Action: Update to version 1.1, or a newer patched version

Plugin: Charity-thermometer

Plugin: WP krpano

Plugin: 12 Step Meeting List

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion
Patched Version: 3.16.6
Recommended Action: Update to version 3.16.6, or a newer patched version

Plugin: RSS News Scroller

Plugin: The Events Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version

Plugin: Image Switcher

Plugin: Slider for Writers

Plugin: Sidebar-Content from Shortcode

Plugin: Import WP – Export and Import CSV and XML files to WordPress

Vulnerability: Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Patched Version: 2.14.6
Recommended Action: Update to version 2.14.6, or a newer patched version

Plugin: Tube Video Ads Lite

Plugin: WordPress Custom Sidebar

Plugin: Background animation blocks

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ElementInvader Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Quiz Maker Developer

Vulnerability: Missing Authorization to Google Sheets Integration Credentials Modification and Stored Cross-Site Scripting
Patched Version: 21.8.0.100
Recommended Action: Update to version 21.8.0.100, or a newer patched version

Plugin: Len Slider

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MFPlugin

Plugin: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Vulnerability: Authenticated (Administrator+) Server-Side Request Forgery
Patched Version: 2.17.5
Recommended Action: Update to version 2.17.5, or a newer patched version

Plugin: Radius Blocks – WordPress Gutenberg Blocks

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Sensly Online Presence

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bilingual Linker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: AlT Report

Plugin: MACME

Plugin: MDC YouTube Downloader

Plugin: Advanced Notifications

Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Twitter Post

Plugin: Ad Blocking Detector

Plugin: Theme My Ontraport Smartform

Plugin: ResAds

Plugin: WP Service Payment Form With Authorize.net

Plugin: Shabbos and Yom Tov

Plugin: Prodigy Commerce

Plugin: WP Cookies Alert

Plugin: turboSMTP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.7
Recommended Action: Update to version 4.7, or a newer patched version

Plugin: S-DEV SEO

Plugin: ABC Notation

Plugin: Contact Form 7 – CCAvenue Add-on

Plugin: WP Bulletin Board

Plugin: SEOReseller Partner Plugin

Plugin: Password Protect Plugin for WordPress

Plugin: Social Media Engine

Plugin: WpF Ultimate Carousel

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.20.3
Recommended Action: Update to version 1.20.3, or a newer patched version

Plugin: Wp-Scribd-List

Plugin: ABC Notation

Vulnerability: Authenticated (Contributor+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WM Options Import Export

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WH Cache & Security

Plugin: CC Circle Progress Bar

Plugin: WPDB to Sql

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Navigation Du Lapin Blanc

Plugin: CodeBard Help Desk

Plugin: Online Payments – Get Paid with PayPal, Square & Stripe

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Unauthenticated SQL Injection via orderby Parameter
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: Simple Project Manager

Plugin: Quiz Maker Developer

Vulnerability: Unauthenticated Arbitrary Shortcode Execution via content
Patched Version: 21.8.0.100
Recommended Action: Update to version 21.8.0.100, or a newer patched version

Plugin: All Embed – Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 2.15.4
Recommended Action: Update to version 2.15.4, or a newer patched version

Plugin: Spiderpowa Embed PDF

Plugin: W3SPEEDSTER

Plugin: Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Flying Twitter Birds

Plugin: WP Options Editor

Plugin: WP Background Tile

Plugin: WC Affiliate – A Complete WooCommerce Affiliate Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5
Recommended Action: Update to version 2.5, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Missing Authorization
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Show/Hide Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Options Update (save_addon_key_license)
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: JSM Show Post Metadata

Vulnerability: Missing Authorization
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: my-related-posts

Plugin: ReviewsTap

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: GoHero Store Customizer for WooCommerce

Vulnerability: Missing Authorization to Unuthenticated Settings Update
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: MercadoLibre Integration

Plugin: Automate Hub Free by Sperse.IO

Vulnerability: Cross-Site Request Forgery to Activation Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Feedburner Optin Form

Plugin: go Social

Plugin: Blog Summary

Plugin: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

Vulnerability: Missing Authorization
Patched Version: 8.2.0
Recommended Action: Update to version 8.2.0, or a newer patched version

Plugin: Countdown Timer – Widget Countdown

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Multilang Contact Form

Plugin: Booking Calendar Contact Form

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.56
Recommended Action: Update to version 1.2.56, or a newer patched version

Plugin: MachForm Shortcode

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.26
Recommended Action: Update to version 1.1.26, or a newer patched version

Plugin: GDPR Personal Data Reports

Plugin: Survey Maker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Survey Question
Patched Version: 5.1.3.4
Recommended Action: Update to version 5.1.3.4, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.3.7
Recommended Action: Update to version 1.3.3.7, or a newer patched version

Plugin: WP PT-Viewer

Plugin: KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

Vulnerability: Unauthenticated Open Redirect
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Taxonomy/Term and Role based Discounts for WooCommerce

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 5.2
Recommended Action: Update to version 5.2, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.