Watch Out Wednesday – January 8, 2025

Home » Watch Out Wednesday – January 8, 2025

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: MAS Elementor

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Gutenberg Blocks – Unlimited blocks For Gutenberg

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Vulnerability: Responsive WordPress Menu Plugin <= 1.16.5
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form 7 Database – CFDB7

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.3.4
Recommended Action: Update to version 3.7.3.4, or a newer patched version

Plugin: CC Canadian Mortgage Calculator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: WP Multi Store Locator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Export Import Menus

Vulnerability: Missing Authorization to Unauthenticated Menu Export
Patched Version: 1.9.2
Recommended Action: Update to version 1.9.2, or a newer patched version

Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery

Vulnerability: Authenticated (Subscriber+) Limited Server-Side Request Forgery
Patched Version: 1.0.16
Recommended Action: Update to version 1.0.16, or a newer patched version

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Reflected Cross-Site Scripting via custom_server Parameter
Patched Version: 6.30.04
Recommended Action: Update to version 6.30.04, or a newer patched version

Plugin: Autocompleter

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Youtube Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Auction Plugin

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Standard Box Sizes – for WooCommerce

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woo Ukrposhta

Vulnerability: Reflected Cross-Site Scripting via order, post, and idd Parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Accessibility by AllAccessible

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: App Embed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Spacer

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 4.2.11
Recommended Action: Update to version 4.2.11, or a newer patched version

Plugin: Timeline Designer

Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: YOGO Booking

Plugin: PIXNET Plugin

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Missing Authorization to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple User Registration

Vulnerability: Missing Authorization to Account Takeover
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP – Bulk SMS – by SMS.to

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gutensee

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.7
Recommended Action: Update to version 1.0.7, or a newer patched version

Plugin: Custom Product Tabs for WooCommerce

Vulnerability: Authenticated (Shop Manager+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: EO4WP: EmailOctopus for WordPress

Plugin: WooCommerce HSS Extension for Streaming Video

Vulnerability: Reflected Cross-Site Scripting via videolink Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slotti Ajanvaraus

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Themes Coder – Create Android & iOS Apps For Your Woocommerce Site

Vulnerability: Insecure Direct Object Reference to Password Change/Account Takeover/Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Classic Addons – WPBakery Page Builder

Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: WP SecureSubmit

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Financial Stocks & Crypto Market Data Plugin

Plugin: BVD Easy Gallery Manager

Plugin: Minimum and Maximum Quantity for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: wpSOL

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Elevio

Plugin: Goodlayers Core

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: WP Smart Import : Import any XML File to WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: File Manager Pro – Filester

Vulnerability: No subtitle
Patched Version: 1.8.7
Recommended Action: Update to version 1.8.7, or a newer patched version

Plugin: Top Comments

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Store credit / Gift cards for woocommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.49.47
Recommended Action: Update to version 1.0.49.47, or a newer patched version

Plugin: Transporters.io

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion
Patched Version: 4.25.0
Recommended Action: Update to version 4.25.0, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal
Patched Version: 4.25.0
Recommended Action: Update to version 4.25.0, or a newer patched version

Plugin: Mang Board WP

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: SEO Keywords

Vulnerability: Reflected Cross-Site Scripting via google_error Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SMS Alert Order Notifications – WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 3.7.7
Recommended Action: Update to version 3.7.7, or a newer patched version

Plugin: Turnkey bbPress by WeaverTheme

Vulnerability: Reflected Cross-Site Scripting via _wpnonce Parameter
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Migration, Backup, Staging – WPvivid Backup & Migration

Vulnerability: Missing Authorization
Patched Version: 0.9.107
Recommended Action: Update to version 0.9.107, or a newer patched version

Plugin: WP Social AutoConnect

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 4.6.3
Recommended Action: Update to version 4.6.3, or a newer patched version

Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Vulnerability: Addons for Elementor <= 5.10.14
Patched Version: 5.10.15
Recommended Action: Update to version 5.10.15, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Sina Image Differ
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: JobBoard Job listing plugin

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Ultimate Learning Pro

Plugin: Popup – MailChimp, GetResponse and ActiveCampaign Intergrations

Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.10
Recommended Action: Update to version 1.6.10, or a newer patched version

Plugin: Notify Odoo

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: SureForms – Drag and Drop Form Builder for WordPress

Vulnerability: Missing Authorization to Unauthenticated Protected Post Disclosure
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Highlight Sitewide Notice, Text, Button Menu

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WP jQuery DataTable

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: Bizapp for WooCommerce

Plugin: EMC2 Alert Boxes

Plugin: UpdraftPlus: WP Backup & Migration Plugin

Vulnerability: 1.24.11
Patched Version: 1.24.12
Recommended Action: Update to version 1.24.12, or a newer patched version

Plugin: MashShare – Social Media Share Buttons, Social Share Icons

Plugin: Designer – Elementor Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip Module
Patched Version: 2.0.6.8
Recommended Action: Update to version 2.0.6.8, or a newer patched version

Plugin: One to one user Chat by WPGuppy

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via address Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SSL Wireless SMS Notification

Plugin: Estatik Mortgage Calculator

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.0.12
Recommended Action: Update to version 2.0.12, or a newer patched version

Plugin: AFI – The Easiest Integration Plugin

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.97.0
Recommended Action: Update to version 1.97.0, or a newer patched version

Plugin: Croma Music

Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update in ironMusic_ajax
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version

Plugin: InfiniteWP Client

Vulnerability: Unauthenticated Limited Directory Traversal to Arbitrary .txt File Reading
Patched Version: 1.13.1
Recommended Action: Update to version 1.13.1, or a newer patched version

Plugin: Bootstrap Blocks for WP Editor v2

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: Export All Posts, Products, Orders, Refunds & Users

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version

Plugin: Simple add pages or posts

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.13.0
Recommended Action: Update to version 3.13.0, or a newer patched version

Plugin: WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress

Plugin: WC1C

Plugin: Image Magnify

Plugin: MIPL WC Multisite Sync – Synchronize WC Products, Orders, Customers & Coupons across multiple sites

Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Error Log Viewer By WP Guru

Vulnerability: Missing Authorization to Unauthenticated Arbitrary File Read
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: ViewMedica 9

Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP jQuery DataTable

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version

Plugin: Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler

Vulnerability: Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jupiter X Core

Vulnerability: Missing Authorization to Unauthenticated Popup Template Export
Patched Version: 4.8.6
Recommended Action: Update to version 4.8.6, or a newer patched version

Plugin: DynamicTags

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress File Upload

Vulnerability: Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php
Patched Version: 4.24.14
Recommended Action: Update to version 4.24.14, or a newer patched version

Plugin: Marketplace Items

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘marketplace’ Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Infility Global

Vulnerability: Reflected Cross-Site Scripting via set_type Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Hide Category by User Role for WooCommerce

Plugin: Chative Live chat and Chatbot

Vulnerability: Cross-Site Request Forgery via add_chative_widget_action Function
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Wizhi Multi Filters by Wenprise

Plugin: Compare Products for WooCommerce

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ViewMedica 9

Plugin: Advance Menu Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Change
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Reflected Cross-Site Scripting via smc_settings_tab, unattachfixit-action, and woofixit-action Parameters
Patched Version: 3.24
Recommended Action: Update to version 3.24, or a newer patched version

Plugin: ElementsCSS Addons for Elementor (Elementor Widgets Extender & Addons)

Plugin: SEO LAT Auto Post

Vulnerability: Missing Authorization to File Overwrite/Upload (Remote Code Execution)
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pósturinn's Shipping with WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Hero Mega Menu – Responsive WordPress Menu Plugin

Plugin: ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes

Vulnerability: Authenticated (Shop manager+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Envato Elements – Photos & Elementor Templates

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version

Plugin: Horoscope And Tarot

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: ProductDyno

Plugin: Compact WP Audio Player

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 1.9.15
Recommended Action: Update to version 1.9.15, or a newer patched version

Plugin: SmartEmailing.cz

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.0.12
Recommended Action: Update to version 3.0.12, or a newer patched version

Plugin: Toggles Shortcode and Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode

Plugin: Uptodown APK Download Widget

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.6.17
Recommended Action: Update to version 2.6.17, or a newer patched version

Plugin: WPAchievements Free

Plugin: Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more

Vulnerability: Cross-Site Request Forgery via reset_installation Function
Patched Version: 2.8.0
Recommended Action: Update to version 2.8.0, or a newer patched version

Plugin: Same but Different – Related Posts by Taxonomy

Plugin: Jupiter X Core

Vulnerability: Missing Authorization to Authenticated Library Sync
Patched Version: 4.8.6
Recommended Action: Update to version 4.8.6, or a newer patched version

Plugin: Dynamics 365 Integration

Vulnerability: Authenticated (Contributor+) Remote Code Execution and Arbitrary File Read via Twig Server-Side Template Injection
Patched Version: 1.3.24
Recommended Action: Update to version 1.3.24, or a newer patched version

Plugin: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Vulnerability: Missing Authorization
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version

Plugin: Booking calendar, Appointment Booking System

Vulnerability: Reflected Cross-Site Scripting via ‘calendar_id’
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version

Plugin: Live Sales Notification for Woocommerce – Woomotiv

Plugin: Coupon Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: 5centsCDN – WordPress CDN Plugin

Plugin: Chatroll Live Chat

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.3.53
Recommended Action: Update to version 2.3.53, or a newer patched version

Plugin: WordPress Webinar Plugin – WebinarPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Webinar Updates
Patched Version: 1.33.25
Recommended Action: Update to version 1.33.25, or a newer patched version

Plugin: Host PHP Info

Vulnerability: Missing Authorization to Unauthenticated Sensitive Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Sell Media

Plugin: BWD Elementor Addons (2500+ presets, Meet The Team, Lottie, Lord Icon, Masking, Woocommerce, Theme Builder, Products, Blogs, CV, Contact Form 7 Styler, Header, Slider, Hero Section)

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Patched Version: 4.3.19
Recommended Action: Update to version 4.3.19, or a newer patched version

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GDY Modular Content

Plugin: Popup – MailChimp, GetResponse and ActiveCampaign Intergrations

Vulnerability: Missing Authorization to Unauthenticated DB Table Truncation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Vulnerability: Missing Authorization
Patched Version: 1.9.2.3
Recommended Action: Update to version 1.9.2.3, or a newer patched version

Plugin: Cost Calculator Builder PRO

Vulnerability: Unauthenticated SQL Injection via data
Patched Version: 3.2.16
Recommended Action: Update to version 3.2.16, or a newer patched version

Plugin: Role Includer

Vulnerability: Reflected Cross-Site Scripting via user_id Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version

Plugin: Multiple Shipping And Billing Address For Woocommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Image Hover Effects for Elementor

Plugin: WP SecureSubmit

Plugin: userpro-messaging

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SyncFields

Plugin: Sellsy

Plugin: Automate Hub Free by Sperse.IO

Plugin: ARS Affiliate Page Plugin

Plugin: Member Access

Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: One to one user Chat by WPGuppy

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Astra Widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.16
Recommended Action: Update to version 1.2.16, or a newer patched version

Plugin: Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.8.9
Recommended Action: Update to version 3.8.9, or a newer patched version

Plugin: WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket

Plugin: ARPrice – WordPress Pricing Table Plugin

Plugin: Solar Wizard Lite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Binary MLM Woocommerce

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Allada T-shirt Designer for Woocommerce – Custom Product Designer for T-shirt personalization and design

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Remote Code Execution
Patched Version: 3.0.12
Recommended Action: Update to version 3.0.12, or a newer patched version

Plugin: JoomSport – for Sports: Team & League, Football, Hockey & more

Vulnerability: Reflected Cross-Site Scripting via page
Patched Version: 5.6.18
Recommended Action: Update to version 5.6.18, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: No subtitle
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Surbma | Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version

Plugin: Piotnet Addons For Elementor

Plugin: Locatoraid Store Locator

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.9.51
Recommended Action: Update to version 3.9.51, or a newer patched version

Plugin: Events Calendar for Google

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Meteor Slides

Plugin: PayU CommercePro Plugin

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Candifly

Plugin: BSK Forms Blacklist

Plugin: Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements

Vulnerability: Authenticated (Contributor+) Private Templates Content Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: School Management System – WPSchoolPress

Vulnerability: Authenticated (Student/Parent+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ClickDesigns

Vulnerability: Missing Authorization to API Key Modification or Removal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Popular Posts

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 7.2.0
Recommended Action: Update to version 7.2.0, or a newer patched version

Plugin: Axeptio – Cookie Banner – GDPR Consent & Compliance with a friendly touch

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.5.5
Recommended Action: Update to version 2.5.5, or a newer patched version

Plugin: PlainInventory – Inventory Management Plugin

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.1.7
Recommended Action: Update to version 3.1.7, or a newer patched version

Plugin: Geo Content

Plugin: Kikx Simple Post Author Filter

Plugin: ARPrice – WordPress Pricing Table Plugin

Plugin: Email Reminders

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: WordLift – AI powered SEO – Schema

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Video Management System

Plugin: Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords

Vulnerability: Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Infility Global

Vulnerability: Authenticated (Subscriber+) Missing Authorization to Plugin Options Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slider Pro Lite

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version

Plugin: RSVP and Event Management

Vulnerability: Missing Authorization
Patched Version: 2.7.14
Recommended Action: Update to version 2.7.14, or a newer patched version

Plugin: MDTF – Meta Data and Taxonomies Filter

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.3.6
Recommended Action: Update to version 1.3.3.6, or a newer patched version

Plugin: Wp advertising management

Plugin: Post/Page Copying Tool to Export and Import post/page for Cross site Migration

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version

Plugin: ARPrice – WordPress Pricing Table Plugin

Plugin: Fancy Product Designer

Plugin: LazyLoad Background Images

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version

Plugin: Backup Migration

Vulnerability: Unauthenticated PHP Object Injection via ‘recursive_unserialize_replace’
Patched Version: 1.4.6.1
Recommended Action: Update to version 1.4.6.1, or a newer patched version

Plugin: WPBITS Addons For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6
Recommended Action: Update to version 1.6, or a newer patched version

Plugin: Pretty Simple Popup Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version

Plugin: Enable Accessibility

Plugin: ACH Invoicing Plugin

Plugin: Target Notifications

Plugin: School Management System – SakolaWP

Plugin: Tida URL Screenshot

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Fancy Product Designer

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Docs

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Marketplace Items

Plugin: Backup and Restore WordPress – Backup Plugin

Vulnerability: Cross-Site Request Forgery to Backup Trigger
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PayGreen Payment Gateway

Plugin: FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Shortcode Export
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.15.2
Recommended Action: Update to version 3.15.2, or a newer patched version

Plugin: Service Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: NAVER Analytics

Plugin: Shipping via Planzer for WooCommerce

Vulnerability: Reflected Cross-Site Scripting via processed-ids
Patched Version: 1.0.26
Recommended Action: Update to version 1.0.26, or a newer patched version

Plugin: WP Menu Image

Vulnerability: Unauthenticated Menu Image Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ThePerfectWedding.nl Widget

Plugin: RightMessage WP

Plugin: ARPrice – WordPress Pricing Table Plugin

Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites

Plugin: WordPress Webinar Plugin – WebinarPress

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation
Patched Version: 1.33.25
Recommended Action: Update to version 1.33.25, or a newer patched version

Plugin: SweepWidget Contests, Giveaways, Photo Contests, Competitions

Plugin: Duplicate Post, Page and Any Custom Post

Vulnerability: Authenticated (Contributor+) Post Disclosure via Post Duplication
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Compare Products for WooCommerce

Plugin: LDD Directory Lite

Vulnerability: Reflected Cross-Site Scripting via remove_query_arg Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: 140+ Widgets | Xpro Addons For Elementor – FREE

Vulnerability: Authenticated (Contributor+) Post Disclosure via Post Duplication
Patched Version: 1.4.6.3
Recommended Action: Update to version 1.4.6.3, or a newer patched version

Plugin: Taskbuilder – WordPress Project & Task Management plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wppm_tasks Shortcode
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: WPMozo Addons Lite for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Binary MLM Woocommerce

Vulnerability: Reflected Cross-Site Scripting via ‘page’
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Unilevel MLM Plan

Plugin: WP Simple Sitemap

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.