Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.3.2
Recommended Action: Update to version 8.3.2, or a newer patched version
Plugin: Fatal Error Notify
Vulnerability: Cross-Site Request Forgery to Test Error Email Sending
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: User Activity Tracking and Log
Vulnerability: IP Spoofing
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version
Plugin: (Simply) Guest Author Name
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.35
Recommended Action: Update to version 4.35, or a newer patched version
Plugin: FreshMail For WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Database for Contact Form 7, WPforms, Elementor forms
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Insert or Embed Articulate Content into WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 4.3000000023
Recommended Action: Update to version 4.3000000023, or a newer patched version
Plugin: WP Quick Post Duplicator
Vulnerability: Missing Authorization
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Missing Authorization
Patched Version: 1.0.8.2
Recommended Action: Update to version 1.0.8.2, or a newer patched version
Plugin: Instant Images – One-click Image Uploads from Unsplash, Openverse, Pixabay, Pexels, and Giphy
Vulnerability: Authenticated (Author+) Arbitrary Options Update
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version
Plugin: WPFront Notification Bar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version
Plugin: File Manager Pro
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version
Plugin: 10Web AI Assistant – AI content writing assistant
Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version
Plugin: aBitGone CommentSafe
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cincopa video and media plug-in
Vulnerability: Cross-Site Request Forgery via cincopa_mp_mt_options_page
Patched Version: 1.160
Recommended Action: Update to version 1.160, or a newer patched version
Plugin: Persian Fonts
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend
Vulnerability: Missing Authorization via get_form_fields
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Debug Log Manager
Vulnerability: Missing Authorization
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version
Plugin: PDF Poster – PDF Embedder Plugin
Vulnerability: PDF Embedder Plugin for WordPress <= 2.1.17
Patched Version: 2.1.18
Recommended Action: Update to version 2.1.18, or a newer patched version
Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend
Vulnerability: Cross-Site Request Forgery via create_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Albo Pretorio On line
Vulnerability: Unauthenticated Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend
Vulnerability: Missing Authorization via save_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: illi Link Party!
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Link Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ultimate Noindex Nofollow Tool
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cookie Information | Free GDPR Consent Solution
Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 2.0.23
Recommended Action: Update to version 2.0.23, or a newer patched version
Plugin: Affiliates Manager
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.35
Recommended Action: Update to version 2.9.35, or a newer patched version
Plugin: WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore
Vulnerability: PHP Object Injection via wopb_wishlist and wopb_compare
Patched Version: 3.1.5
Recommended Action: Update to version 3.1.5, or a newer patched version
Plugin: Advanced Schedule Posts
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.
Vulnerability: Cross-Site Request Forgery in Printer Management
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Formzu WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version
Plugin: PDF Viewer & 3D PDF Flipbook – DearPDF
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mang Board WP
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.8
Recommended Action: Update to version 1.7.8, or a newer patched version
Plugin: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.
Vulnerability: Missing Authorization in showTemplatePreview
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version
Plugin: Fatal Error Notify
Vulnerability: Missing Authorization to Test Error Email Sending
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version
Plugin: SoundCloud Shortcode
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 0.1.0.10
Recommended Action: Update to version 0.1.0.10, or a newer patched version
Plugin: Block for Font Awesome
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: WP Dashboard Notes
Vulnerability: Missing Authorization to Arbitrary Private Notes Update
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.8.2
Recommended Action: Update to version 1.0.8.2, or a newer patched version
Plugin: Add SVG Support for Media Uploader | inventivo
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SiteOrigin Widgets Bundle
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.2
Recommended Action: Update to version 1.58.2, or a newer patched version
Plugin: Beds24 Online Booking
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.25
Recommended Action: Update to version 2.0.25, or a newer patched version
Plugin: WP-Lister Lite for eBay
Vulnerability: Reflected Cross-Site Scripting via ‘s’
Patched Version: 3.5.8
Recommended Action: Update to version 3.5.8, or a newer patched version
Plugin: Backuply – Backup, Restore, Migrate and Clone
Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version
Plugin: Scheduling Plugin – Online Booking for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Order Delivery Date for WP e-Commerce
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Estatik Real Estate Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.1
Recommended Action: Update to version 4.1.1, or a newer patched version
Plugin: Meks Smart Social Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version
Plugin: Button Generator – easily Button Builder
Vulnerability: Missing Authorization
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Frontend Admin by DynamiApps
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.18.4
Recommended Action: Update to version 3.18.4, or a newer patched version
Plugin: Pre* Party Resource Hints
Vulnerability: Authenticated(Administrator+) SQL Injection
Patched Version: 1.8.19
Recommended Action: Update to version 1.8.19, or a newer patched version
Plugin: Product Size Chart For WooCommerce
Vulnerability: Cross-Site Request Forgery via get_save_option
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Click To Tweet
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version
Plugin: WP-Reply Notify
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Better Search Replace
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Exclusive Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Link Anything
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version
Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source
Patched Version: 4.23.5
Recommended Action: Update to version 4.23.5, or a newer patched version
Plugin: Custom Order Numbers for WooCommerce
Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version
Plugin: Category Discount Woocommerce
Vulnerability: Missing Authorization via wpcd_save_discount()
Patched Version: 4.13
Recommended Action: Update to version 4.13, or a newer patched version
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Missing Authorization to Sensitive Information Dislcosure
Patched Version: 0.1.0.10
Recommended Action: Update to version 0.1.0.10, or a newer patched version
Plugin: illi Link Party!
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: coreActivity: Activity Logging plugin for WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version
Plugin: Booking calendar, Appointment Booking System
Vulnerability: Missing Authorization
Patched Version: 3.2.4
Recommended Action: Update to version 3.2.4, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 12.3.16
Recommended Action: Update to version 12.3.16, or a newer patched version
Plugin: PopupAlly
Vulnerability: Cross-Site Request Forgery via optin_submit_callback
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend
Vulnerability: Missing Authorization via create_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Custom Order Status for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version
Plugin: WordPress Simple Shopping Cart
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version
Plugin: illi Link Party!
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CSS & JavaScript Toolbox
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 11.9
Recommended Action: Update to version 11.9, or a newer patched version
Plugin: SVG Uploads Support
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vulnerability: Cross-Site Request Forgery to Level Orders Update
Patched Version: 2.12.8
Recommended Action: Update to version 2.12.8, or a newer patched version
Plugin: Simple Membership
Vulnerability: Open Redirect
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version
Plugin: Review Schema – Review & Structure Data Schema Plugin
Vulnerability: Missing Authorization to Arbitrary Review Update
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Button Generator – easily Button Builder
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3.9
Recommended Action: Update to version 2.3.9, or a newer patched version
Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.8
Recommended Action: Update to version 6.8, or a newer patched version
Plugin: Additional Order Filters for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.12
Recommended Action: Update to version 1.12, or a newer patched version
Plugin: WPS Hide Login
Vulnerability: Hidden Login Page Location Disclosure
Patched Version: 1.9.12
Recommended Action: Update to version 1.9.12, or a newer patched version
Plugin: WooCommerce Conversion Tracking
Vulnerability: Missing Authorization
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version
Plugin: WolfNet IDX for WordPress
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Starbox – the Author Box for Humans
Vulnerability: Insecure Direct Object Reference
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version
Plugin: Ninja Tables – Easy Data Table Builder
Vulnerability: Missing Authorization
Patched Version: 5.0.6
Recommended Action: Update to version 5.0.6, or a newer patched version
Plugin: illi Link Party!
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CP Media Player – Audio Player and Video Player
Vulnerability: Cross-Site Request Forgery to Player Deletion and Duplication
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Don't Muck My Markup
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mapster WP Maps
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.39
Recommended Action: Update to version 1.2.39, or a newer patched version
Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Vulnerability: Cross-Site Request Forgery to Limited Code Execution via Execute
Patched Version: 1.15.22
Recommended Action: Update to version 1.15.22, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Property Hive
Vulnerability: Unauthenticated PHP Object Injection via propertyhive_currency
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Advanced Database Cleaner
Vulnerability: Authenticated(Administrator+) PHP Object Injection via process_bulk_action
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend
Vulnerability: Cross-Site Request Forgery via save_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version
Plugin: Marketing Twitter Bot
Vulnerability: Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version
Plugin: CC BMI Calculator
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version
Plugin: Allow SVG
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Category Discount Woocommerce
Vulnerability: Cross-Site Request Forgery via wpcd_save_discount()
Patched Version: 4.12
Recommended Action: Update to version 4.12, or a newer patched version
Plugin: WebSub (FKA. PubSubHubbub)
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: ACF Photo Gallery Field
Vulnerability: Missing Authorization in apgf_update_donation
Patched Version: 2.7
Recommended Action: Update to version 2.7, or a newer patched version
Plugin: Email Before Download
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version
Plugin: MapPress Maps for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings
Patched Version: 2.88.17
Recommended Action: Update to version 2.88.17, or a newer patched version
Plugin: Better Follow Button for Jetpack
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
