Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Recipe Cards For Your Food Blog from Zip Recipes
Vulnerability: Authenticated(Contributor+) SQL Injection
Patched Version: 8.1.1
Recommended Action: Update to version 8.1.1, or a newer patched version
Plugin: WooCommerce Easy Duplicate Product
Vulnerability: Missing Authorization via wedp_duplicate_product_action
Patched Version: 0.3.0.8
Recommended Action: Update to version 0.3.0.8, or a newer patched version
Plugin: WooCommerce Warranty Requests
Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: WP Mail Log
Vulnerability: Authenticated(Contributor+) Arbitrary File Upload
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Autotitle for WordPress
Vulnerability: Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.24
Recommended Action: Update to version 1.24, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Booking Price Manipulation via bookingpress_confirm_booking
Patched Version: 1.0.75
Recommended Action: Update to version 1.0.75, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Product Code for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: EnvíaloSimple: Email Marketing y Newsletters
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version
Plugin: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
Vulnerability: Missing Authorization
Patched Version: 7.0.18
Recommended Action: Update to version 7.0.18, or a newer patched version
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message
Patched Version: 3.1.20
Recommended Action: Update to version 3.1.20, or a newer patched version
Plugin: Simple Job Board
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.10.7
Recommended Action: Update to version 2.10.7, or a newer patched version
Plugin: Custom 404 Pro
Vulnerability: Unauthenticated Stored Cross-Site Scripting via logging
Patched Version: 3.10.1
Recommended Action: Update to version 3.10.1, or a newer patched version
Plugin: EnvíaloSimple: Email Marketing y Newsletters
Vulnerability: No subtitle
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Cross-Site Request Forgery via apbct_settings__update_account_email
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version
Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version
Plugin: BERTHA AI. Your AI co-pilot for WordPress and Chrome
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.11.10.8
Recommended Action: Update to version 1.11.10.8, or a newer patched version
Plugin: Republish Old Posts
Vulnerability: Cross-Site Request Forgery via rop_options_page
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Authenticated (Author+) Open Redirect
Patched Version: 6.9.19
Recommended Action: Update to version 6.9.19, or a newer patched version
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.6.1
Recommended Action: Update to version 1.0.6.1, or a newer patched version
Plugin: Floating Button
Vulnerability: Cross-Site Request Forgery via process_bulk_action
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Insecure Direct Object Reference to Information Disclosure
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Missing Authorization to Unauthenticated Privilege Escalation
Patched Version: 3.05.1
Recommended Action: Update to version 3.05.1, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.14
Recommended Action: Update to version 2.88.14, or a newer patched version
Plugin: Pay with Vipps and MobilePay for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.14.14
Recommended Action: Update to version 1.14.14, or a newer patched version
Plugin: WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version
Plugin: Rate My Post – Star Rating Plugin by FeedbackWP
Vulnerability: IP Address Spoofing
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Missing Authorization via CR_Manual
Patched Version: 5.38.2
Recommended Action: Update to version 5.38.2, or a newer patched version
Plugin: Piotnet Forms
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.0.29
Recommended Action: Update to version 1.0.29, or a newer patched version
Plugin: WP Simple Booking Calendar
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.8.5
Recommended Action: Update to version 2.0.8.5, or a newer patched version
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Cross-Site Request Forgery via save_campaign_preview
Patched Version: 3.1.19
Recommended Action: Update to version 3.1.19, or a newer patched version
Plugin: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: My Agile Privacy – The only GDPR solution for WP that you can truly trust
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard
Vulnerability: Cross-Site Request Forgery via white_label_reset_wl_admins
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vulnerability: Missing Authorization to Settings Modification
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: Simple Staff List
Vulnerability: Missing Authorization via ajax_flush_rewrite_rules and staff_member_export
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: WP Stripe Checkout
Vulnerability: Sensitive Information Exposure via Debug Log
Patched Version: 1.2.2.38
Recommended Action: Update to version 1.2.2.38, or a newer patched version
Plugin: AI Power: Complete AI Pack
Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version
Plugin: Database Cleaner
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 0.9.9
Recommended Action: Update to version 0.9.9, or a newer patched version
Plugin: Import any XML, CSV or Excel File to WordPress
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 3.7.3
Recommended Action: Update to version 3.7.3, or a newer patched version
Plugin: Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More
Vulnerability: Cross-Site Request Forgery via views/tools/diagnostics/information.php
Patched Version: 1.5.7.1
Recommended Action: Update to version 1.5.7.1, or a newer patched version
Plugin: WP Tabs – Responsive Tabs and Custom Product Tabs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: ARI Stream Quiz – WordPress Quizzes Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: TerraClassifieds – Simple Classifieds Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: IP Spoofing
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.1.19
Recommended Action: Update to version 8.1.19, or a newer patched version
Plugin: Thrive Automator
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.17.1
Recommended Action: Update to version 1.17.1, or a newer patched version
Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
Vulnerability: Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting
Patched Version: 5.7.10
Recommended Action: Update to version 5.7.10, or a newer patched version
Plugin: Spam protection, Anti-Spam, FireWall by CleanTalk
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.21
Recommended Action: Update to version 6.21, or a newer patched version
Plugin: MC4WP: Mailchimp for WordPress
Vulnerability: Missing Authorization via listen
Patched Version: 4.9.10
Recommended Action: Update to version 4.9.10, or a newer patched version
Plugin: Product Catalog Simple
Vulnerability: Sensitive Information Exposure via Product CSV
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Ready Function
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version
Plugin: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 5.1.0.3
Recommended Action: Update to version 5.1.0.3, or a newer patched version
Plugin: WPC Product Bundles for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 7.3.2
Recommended Action: Update to version 7.3.2, or a newer patched version
Plugin: Woocommerce Shipping Canada Post
Vulnerability: Missing Authorization
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version
Plugin: AI Power: Complete AI Pack
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.13
Recommended Action: Update to version 1.8.13, or a newer patched version
Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer
Vulnerability: IP Address Spoofing
Patched Version: 3.4.15
Recommended Action: Update to version 3.4.15, or a newer patched version
Plugin: WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version
Plugin: Apollo13 Framework Extensions
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version
Plugin: Rencontre – Dating Site
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version
Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Vulnerability: Missing Authorization to Order Export
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: Login as User or Customer
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: EventPrime – Events Calendar, Bookings and Tickets
Vulnerability: Missing Authorization to Private Event Disclosure
Patched Version: 3.3.6
Recommended Action: Update to version 3.3.6, or a newer patched version
Plugin: Send Users Email – Email Subscribers, Email Marketing Newsletter
Vulnerability: Sensitive Information Exposure via Error Logs
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version
Plugin: WP Affiliate Disclosure
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via $id
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version
Plugin: WP Review Slider
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 12.8
Recommended Action: Update to version 12.8, or a newer patched version
Plugin: WooCommerce Ship to Multiple Addresses
Vulnerability: Missing Authorization
Patched Version: 3.8.10
Recommended Action: Update to version 3.8.10, or a newer patched version
Plugin: Happy Addons for Elementor
Vulnerability: Server Side Request Forgery
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version
Plugin: PDF Builder for WooCommerce. Create invoices,packing slips and more
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.102
Recommended Action: Update to version 1.2.102, or a newer patched version
Plugin: iframe
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via srcdoc
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version
Plugin: WooPayments: Integrated WooCommerce Payments
Vulnerability: Unauthenticated Insecure Direct Object Reference
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version
Plugin: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Vulnerability: Cross-Site Request Forgery via ajax_add_log_entry
Patched Version: 2.10.5
Recommended Action: Update to version 2.10.5, or a newer patched version
Plugin: LearnPress – WordPress LMS Plugin
Vulnerability: Unauthenticated SQL Injection via order_by
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version
Plugin: WooCommerce Stripe Payment Gateway
Vulnerability: Insecure Direct Object Reference via update_payment_intent_ajax
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Cross-Site Request Forgery via Several Functions
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version
Plugin: FunnelKit Checkout
Vulnerability: Authenticated(Subscriber+) Missing Authorization to Arbitrary Plugin Activation
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: Verge3D Publishing and E-Commerce
Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload
Patched Version: 4.5.3
Recommended Action: Update to version 4.5.3, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Missing Authorization
Patched Version: 5.6.7
Recommended Action: Update to version 5.6.7, or a newer patched version
Plugin: Rencontre – Dating Site
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: WPCS – WordPress Currency Switcher Professional
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0.1
Recommended Action: Update to version 1.2.0.1, or a newer patched version
Plugin: 404 Solution
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version
Plugin: Page Generator
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Build App Online
Vulnerability: Authentication Bypass via Header
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Affiliates Manager
Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 2.9.32
Recommended Action: Update to version 2.9.32, or a newer patched version
Plugin: WP User Profile Avatar
Vulnerability: Authenticated (Author+) Insecure Direct Object Reference to Avatar Deletion/Update
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Reflected Cross-Site Scripting via msg
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version
Plugin: Dynamic Content for Elementor
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.12.5
Recommended Action: Update to version 2.12.5, or a newer patched version
Plugin: Frontend Admin by DynamiApps
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.18.4
Recommended Action: Update to version 3.18.4, or a newer patched version
Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Vulnerability: Authenticated(Shop Manager+) Arbitrary Options Update via JSON Import
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version
Plugin: Product Feed Manager- WooCommerce Product Feeds For Google Shopping, Social Catalog, TikTok Ads, and 180+ Popular Marketplaces
Vulnerability: Authenticated (Admin+) Directory Traversal
Patched Version: 7.3.16
Recommended Action: Update to version 7.3.16, or a newer patched version
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Authentication Bypass via Password Reset
Patched Version: 7.1.9.8
Recommended Action: Update to version 7.1.9.8, or a newer patched version
Plugin: Export Media URLs
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Missing Authorization via wpas_load_reply_history
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version
Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Vulnerability: Unauthenticated Stored Cross-Site Scripting via device
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version
Plugin: YITH WooCommerce Product Add-Ons
Vulnerability: Authenticated(Shop Manager+) PHP Object Injection
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version
Plugin: If-So Dynamic Content Personalization
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Calculated Fields Form
Vulnerability: Authenticated (Contributor+) Open Redirect via Shortcode
Patched Version: 1.2.29
Recommended Action: Update to version 1.2.29, or a newer patched version
Plugin: Job Manager & Career – Manage job board listings, and recruitments
Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Inline Image Upload for BBPress
Vulnerability: Cross-Site Request Forgery via hm_bbpui_admin_page
Patched Version: 1.1.19
Recommended Action: Update to version 1.1.19, or a newer patched version
Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vulnerability: Form Submission Limit Bypass
Patched Version: 5.2.5.1
Recommended Action: Update to version 5.2.5.1, or a newer patched version
Plugin: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 0.6.3
Recommended Action: Update to version 0.6.3, or a newer patched version
Plugin: Fluent Support – Helpdesk & Customer Support Ticket System
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version
Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Vulnerability: Missing Authorization
Patched Version: 8.1.17
Recommended Action: Update to version 8.1.17, or a newer patched version
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Options Update
Patched Version: 7.1.9.8
Recommended Action: Update to version 7.1.9.8, or a newer patched version
Plugin: WooCommerce Per Product Shipping
Vulnerability: Missing Authorization
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version
Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.2
Recommended Action: Update to version 5.1.2, or a newer patched version
Plugin: Easy PayPal & Stripe Buy Now Button
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: WP Frontend Profile
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: BulkGate SMS Plugin for WooCommerce
Vulnerability: Missing Authorization via Multiple AJAX Actions
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Cross-Site Request Forgery to Subscriber Deletion
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: Defender Security – Malware Scanner, Login Security & Firewall
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version
Plugin: GEO my WP
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version
Plugin: FunnelKit Checkout
Vulnerability: Authenticated(Subscriber+) Missing Authorization to Settings Change
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: Booster Elite for WooCommerce
Vulnerability: Authenticated(Subscriber+) Content Injection
Patched Version: 7.1.3
Recommended Action: Update to version 7.1.3, or a newer patched version
Plugin: Local Delivery Drivers for WooCommerce
Vulnerability: Missing Authorization to Driver Account Takeover
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version
Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.9.171
Recommended Action: Update to version 1.9.171, or a newer patched version
Plugin: JVM Gutenberg Rich Text Icons
Vulnerability: Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Integrate Google Drive
Vulnerability: Missing Authorization via save_settings
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Restaurant Reservations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Crowdsignal Dashboard – Polls, Surveys & more
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Custom Post Carousels with Owl
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.4.7
Recommended Action: Update to version 1.4.7, or a newer patched version
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Cross-Site Request Forgery
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Authenticated(Subscriber+) PHP Object Injection
Patched Version: 3.05.5
Recommended Action: Update to version 3.05.5, or a newer patched version
Plugin: RSVP Events
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.9.5
Recommended Action: Update to version 2.9.5, or a newer patched version
Plugin: Affiliates Manager
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.9.31
Recommended Action: Update to version 2.9.31, or a newer patched version
Plugin: WP MLM SOFTWARE PLUGIN
Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DOOFINDER Search and Discovery for WP & WooCommerce
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: TerraClassifieds – Simple Classifieds Plugin
Vulnerability: No subtitle
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Rencontre – Dating Site
Vulnerability: Privilege Escalation
Patched Version: 3.11
Recommended Action: Update to version 3.11, or a newer patched version
Plugin: WP MLM SOFTWARE PLUGIN
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: eCommerce Product Catalog Plugin for WordPress
Vulnerability: Sensitive Information Exposure via CSV Files
Patched Version: 3.3.27
Recommended Action: Update to version 3.3.27, or a newer patched version
Plugin: FastDup – Fastest WordPress Migration & Duplicator
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.1.8
Recommended Action: Update to version 2.1.8, or a newer patched version
Plugin: Stock Ticker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scritping
Patched Version: 3.23.5
Recommended Action: Update to version 3.23.5, or a newer patched version
Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More
Vulnerability: Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: Theme per user
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version
Plugin: Easy Video Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.2.11
Recommended Action: Update to version 1.2.2.11, or a newer patched version
Plugin: Split Test For Elementor
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Events Shortcodes For The Events Calendar
Vulnerability: Authenticated (Contributor+) SQL Injection via shortcode
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version
Plugin: WP User Profile Avatar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Product Expiry for WooCommerce
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.0.6.1
Recommended Action: Update to version 1.0.6.1, or a newer patched version
Plugin: WooCommerce Warranty Requests
Vulnerability: Missing Authorization
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version
Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.5.2
Recommended Action: Update to version 3.5.2, or a newer patched version
Plugin: FunnelKit Checkout
Vulnerability: Unauthenticated Arbitrary Content Deletion
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: JVM Gutenberg Rich Text Icons
Vulnerability: Authenticated(Subscriber+) Arbitrary File Upload
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: CRM Perks Forms – WordPress Form Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: WP 2FA – Two-factor authentication for WordPress
Vulnerability: Insecure Direct Object Reference to Arbitrary Email Sending
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version
Plugin: Dan's Embedder for Google Calendar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: CBX Bookmark & Favorite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.7.14
Recommended Action: Update to version 1.7.14, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version
Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version
Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.6
Recommended Action: Update to version 3.2.6, or a newer patched version
Plugin: Product Enquiry for WooCommerce
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Slider by Soliloquy – Responsive Image Slider for WordPress
Vulnerability: Missing Authorization
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: Awesome Support – WordPress HelpDesk & Support Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.1.6
Recommended Action: Update to version 6.1.6, or a newer patched version
Plugin: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.10.3
Recommended Action: Update to version 1.10.3, or a newer patched version
Plugin: FooGallery Premium
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Crowdsignal Dashboard – Polls, Surveys & more
Vulnerability: Cross-Site Request Forgery via update_rating
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version
Plugin: Checkout Mestres do WP for WooCommerce
Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.1.9.8
Recommended Action: Update to version 7.1.9.8, or a newer patched version
Plugin: Strong Testimonials
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version
Plugin: Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress
Vulnerability: Missing Authorization via update_options
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version
Plugin: Build App Online
Vulnerability: Missing Authorization Authenticated(Subscriber+) Arbitrary Options Update
Patched Version: 1.0.21
Recommended Action: Update to version 1.0.21, or a newer patched version
Plugin: Image Source Control Lite – Show Image Credits and Captions
Vulnerability: Sensitive Information Exposure via Log File
Patched Version: 2.17.1
Recommended Action: Update to version 2.17.1, or a newer patched version
Plugin: Product Vendors
Vulnerability: Missing Authorization
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: Most And Least Read Posts Widget
Vulnerability: Authenticated(Contributor+) SQL Injection via Widget settings
Patched Version: 2.5.17
Recommended Action: Update to version 2.5.17, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Missing Authorization via dispatch
Patched Version: 6.3.10
Recommended Action: Update to version 6.3.10, or a newer patched version
Plugin: Themify Icons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.2
Recommended Action: Update to version 2.0.2, or a newer patched version
Plugin: Product Table by WBW
Vulnerability: Cross-Site Request Forgery via saveGroup
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version
Plugin: Piotnet Forms
Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 1.0.30
Recommended Action: Update to version 1.0.30, or a newer patched version
Plugin: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.9.19
Recommended Action: Update to version 6.9.19, or a newer patched version
Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Vulnerability: Missing Authorization via export_form_entries
Patched Version: 1.6.19
Recommended Action: Update to version 1.6.19, or a newer patched version
Plugin: Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.05.1
Recommended Action: Update to version 3.05.1, or a newer patched version
Plugin: Build App Online
Vulnerability: Account Takeover via Weak Password Reset Mechanism
Patched Version: 1.0.23
Recommended Action: Update to version 1.0.23, or a newer patched version
Plugin: Malware Scanner
Vulnerability: IP Spoofing
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: Product Vendors
Vulnerability: Missing Authorization
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.14
Recommended Action: Update to version 2.7.14, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
