Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.59.4
Recommended Action: Update to version 3.59.4, or a newer patched version
Plugin: ContentLock
Vulnerability: Cross-Site Request Forgery to Group/Email Deletion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Translate WordPress with ConveyThis
Vulnerability: Missing Authorization to Limited Option Update
Patched Version: 235
Recommended Action: Update to version 235, or a newer patched version
Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Settings Updates
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Category Posts Widget
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.9.17
Recommended Action: Update to version 4.9.17, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Limited Local File Inclusion via Widgets
Patched Version: 8.4.1
Recommended Action: Update to version 8.4.1, or a newer patched version
Plugin: WP Fast Total Search – The Power of Indexed Search
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.70.236
Recommended Action: Update to version 1.70.236, or a newer patched version
Plugin: Goftino
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version
Plugin: Timeline Event History
Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: WP Travel Engine – Tour Booking Plugin – Tour Operator Software
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.2
Recommended Action: Update to version 5.9.2, or a newer patched version
Plugin: Typebot | Create advanced chat experiences without coding
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown
Patched Version: 3.2.39
Recommended Action: Update to version 3.2.39, or a newer patched version
Plugin: Caxton – Create Pro page layouts in Gutenberg
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Mercado Pago payments for WooCommerce
Vulnerability: 7.6.1
Patched Version: 7.6.2
Recommended Action: Update to version 7.6.2, or a newer patched version
Plugin: Custom Query Blocks
Vulnerability: Missing Authorization via REST Routes
Patched Version: 5.3.0
Recommended Action: Update to version 5.3.0, or a newer patched version
Plugin: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Vulnerability: Missing Authorization to Authenticated (Contributor+) Event Data Import
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Redux Framework
Vulnerability: 4.4.17
Patched Version: 4.4.18
Recommended Action: Update to version 4.4.18, or a newer patched version
Plugin: Plugin Notes Plus
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version
Plugin: Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction
Vulnerability: Information Exposure via Log Files
Patched Version: 2.5.14
Recommended Action: Update to version 2.5.14, or a newer patched version
Plugin: Team Manager – WordPress Showcase Team Members
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 2.1.13
Recommended Action: Update to version 2.1.13, or a newer patched version
Plugin: Wp EMember
Vulnerability: Reflected Cross-Site Scripting via $_SERVER[‘REQUEST_URI’]
Patched Version: 10.6.7
Recommended Action: Update to version 10.6.7, or a newer patched version
Plugin: codoc
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 0.9.52
Recommended Action: Update to version 0.9.52, or a newer patched version
Plugin: VikRentCar Car Rental Management System
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version
Plugin: Cooked – Recipe Management
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Generate Images (AI) – Magic Post Thumbnail
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 5.2.8
Recommended Action: Update to version 5.2.8, or a newer patched version
Plugin: MaxiBlocks: 2300+ Patterns, 280+ Pages, 14.3K Icons & 100 Styles
Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version
Plugin: Seraphinite Post .DOCX Source
Vulnerability: Missing Authorization
Patched Version: 2.16.10
Recommended Action: Update to version 2.16.10, or a newer patched version
Plugin: WP eStore
Vulnerability: Reflected Cross-Site Scripting via Product Editing
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version
Plugin: Easy Testimonials
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Affiliate Platform
Vulnerability: Reflected Cross-Site Scripting via Lead Editing
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin
Vulnerability: Authenticated (Admin+) SMTP Password Exposure
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Insecure Direct Object Reference to Authenticated (GiveWP Worker+) Arbitrary Post Actions
Patched Version: 3.14.0
Recommended Action: Update to version 3.14.0, or a newer patched version
Plugin: WP GoToWebinar
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version
Plugin: WP eStore
Vulnerability: Reflected Cross-Site Scripting via Customer Search
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version
Plugin: Page Builder Gutenberg Blocks – CoBlocks
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Missing Authorization via Multiple Functions
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version
Plugin: ContentLock
Vulnerability: Cross-Site Request Forgery to Email Adding
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version
Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version
Plugin: Master Popups
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ReDi Restaurant Reservation
Vulnerability: Missing Authorization
Patched Version: 24.0712
Recommended Action: Update to version 24.0712, or a newer patched version
Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments
Vulnerability: Missing Authorization to Unauthenticated Service Disconnection
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version
Plugin: Cooked – Recipe Management
Vulnerability: Cross-Site Request Forgery to Template Apply
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Seraphinite Post .DOCX Source
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.16.10
Recommended Action: Update to version 2.16.10, or a newer patched version
Plugin: WP Affiliate Platform
Vulnerability: Reflected Cross-Site Scripting via Registration Form
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: Ultimate Addons for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.19.20.1
Recommended Action: Update to version 3.19.20.1, or a newer patched version
Plugin: Smartsupp – live chat, chatbots, AI and lead generation
Vulnerability: Cross-Site Request Forgery
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via File Upload
Patched Version: 1.26.7
Recommended Action: Update to version 1.26.7, or a newer patched version
Plugin: Telegram Bot & Channel
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Template Kit – Export
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Arconix FAQ
Vulnerability: Missing Authorization
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version
Plugin: Sticky Social Link
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 1.1.42
Recommended Action: Update to version 1.1.42, or a newer patched version
Plugin: Metorik – Reports & Email Automation for WooCommerce
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript
Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: 1.7.6
Recommended Action: Update to version 1.7.6, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Marquee Text Widget, Testimonials Widget, and Testimonial Slider Widgets
Patched Version: 8.4.2
Recommended Action: Update to version 8.4.2, or a newer patched version
Plugin: Replace Image
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.1.11
Recommended Action: Update to version 1.1.11, or a newer patched version
Plugin: JetWidgets for Elementor and WooCommerce
Vulnerability: Authenticated (Contributor+) Limited Local File Inclusion
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version
Plugin: Simple Popup Plugin
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Arconix Shortcodes
Vulnerability: Missing Authorization
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version
Plugin: Simple Responsive Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: HitPay Payment Gateway for WooCommerce
Vulnerability: Information Exposure via Log Files
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version
Plugin: ContentLock
Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version
Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.4.1
Recommended Action: Update to version 4.4.1, or a newer patched version
Plugin: WPBITS Addons For Elementor Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: WP Affiliate Platform
Vulnerability: Reflected Cross-Site Scripting via Banner Editing
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: Duplica – Duplicate Posts, Pages, Custom Posts or Users
Vulnerability: Authenticated (Subscriber+) Missing Authorization to Users/Posts Duplicates Creation
Patched Version: 0.7
Recommended Action: Update to version 0.7, or a newer patched version
Plugin: WP Meteor Website Speed Optimization Addon
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: Team Members
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.3.4
Recommended Action: Update to version 5.3.4, or a newer patched version
Plugin: Ultimate Addons for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.19.20.1
Recommended Action: Update to version 3.19.20.1, or a newer patched version
Plugin: Ultimate Addons for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.19.20.1
Recommended Action: Update to version 3.19.20.1, or a newer patched version
Plugin: Security Optimizer – The All-In-One Protection Plugin
Vulnerability: Missing Authorization via hide_notice()
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version
Plugin: Tutor LMS – eLearning and online course solution
Vulnerability: Authenticated (Tutor Instructor+) Stored Cross-Site Scripting
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.12
Recommended Action: Update to version 5.6.12, or a newer patched version
Plugin: Timetable and Event Schedule by MotoPress
Vulnerability: Authenticated (Admin+) PHP Object Injection
Patched Version: 2.4.14
Recommended Action: Update to version 2.4.14, or a newer patched version
Plugin: Product Delivery Date for WooCommerce – Lite
Vulnerability: Missing Authorization
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version
Plugin: SVG Support
Vulnerability: Authenticated (Author+) Cross-Site Scripting via SVG
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Cooked – Recipe Management
Vulnerability: Cross-Site Request Forgery via cooked_get_recipe_ids
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: WP Photo Album Plus
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 8.8.02.003
Recommended Action: Update to version 8.8.02.003, or a newer patched version
Plugin: Uncanny Automator Pro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.0.1
Recommended Action: Update to version 5.3.0.1, or a newer patched version
Plugin: WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Amazing Hover Effects
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.7.3
Patched Version: 2.7.4
Recommended Action: Update to version 2.7.4, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Various Widgets
Patched Version: 8.4
Recommended Action: Update to version 8.4, or a newer patched version
Plugin: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ElementsKit Elementor addons
Vulnerability: Unauthenticated Information Exposure via ekit_widgetarea_content Function
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Olive One Click Demo Import
Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AdPush
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LiteSpeed Cache
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version
Plugin: WP Accessibility Helper (WAH)
Vulnerability: Missing Authorization
Patched Version: 0.6.3
Recommended Action: Update to version 0.6.3, or a newer patched version
Plugin: Conditional Fields for Contact Form 7
Vulnerability: Cross-Site Request Forgery to Plugin Setting Reset
Patched Version: 2.4.14
Recommended Action: Update to version 2.4.14, or a newer patched version
Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Vulnerability: Missing Authorization
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version
Plugin: WP GoToWebinar
Vulnerability: Missing Authorization
Patched Version: 15.7
Recommended Action: Update to version 15.7, or a newer patched version
Plugin: Advanced post slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Magazine Grid/Slider Widget
Patched Version: 1.3.981
Recommended Action: Update to version 1.3.981, or a newer patched version
Plugin: Cooked – Recipe Management
Vulnerability: Cross-Site Request Forgery to Template Reset
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Arbitrary File Upload
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: Spiffy Calendar
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 4.9.12
Recommended Action: Update to version 4.9.12, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: ePoll – Best WordPress Voting Plugin for Poll & Contest
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 3.5
Recommended Action: Update to version 3.5, or a newer patched version
Plugin: Plum: Spin Wheel & Email Pop-up
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SKT Skill Bar
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version
Plugin: Livemesh Addons for Beaver Builder
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version
Plugin: ListingPro Plugin
Vulnerability: Authenticated (Author+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.3.2
Recommended Action: Update to version 5.3.2, or a newer patched version
Plugin: WPForms User Registration
Vulnerability: Missing Authorization to Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version
Plugin: Pretty Simple Popup Builder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.10
Recommended Action: Update to version 1.0.10, or a newer patched version
Plugin: Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version
Plugin: Social Media Share Buttons & Social Sharing Icons
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Elementor Addons by Livemesh
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid
Patched Version: 8.4
Recommended Action: Update to version 8.4, or a newer patched version
Plugin: Ultimate Addons for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.19.20.1
Recommended Action: Update to version 3.19.20.1, or a newer patched version
Plugin: Keap Official Opt-in Forms
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version
Plugin: Image SEO – AI-Driven Image SEO Optimizer
Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version
Plugin: HT Mega – Absolute Addons For Elementor
Vulnerability: Authenticated (Contributor+) JSON File Directory Traversal
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Great Restaurant Menu WP
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Brizy – Page Builder
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 2.4.45
Recommended Action: Update to version 2.4.45, or a newer patched version
Plugin: Power BI Embedded for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Schema & Structured Data for WP & AMP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via url Attribute
Patched Version: 1.34.1
Recommended Action: Update to version 1.34.1, or a newer patched version
Plugin: Plum: Spin Wheel & Email Pop-up
Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Vulnerability: Missing Authorization to Unauthenticated Message Duplication
Patched Version: 3.1.25
Recommended Action: Update to version 3.1.25, or a newer patched version
Plugin: Smart Post Show – Post Grid, Post Carousel, Post Slider, Post Timeline, Post Table, and List Category Posts, Latest Posts, Recent Posts, Popular Posts and More
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.4.28
Recommended Action: Update to version 2.4.28, or a newer patched version
Plugin: GD Rating System
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.6.1
Recommended Action: Update to version 3.6.1, or a newer patched version
Plugin: CopySafe Web Protection
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version
Plugin: WooCommerce – PDF Vouchers
Vulnerability: PDF Vouchers <= 4.9.3
Patched Version: 4.9.4
Recommended Action: Update to version 4.9.4, or a newer patched version
Plugin: RegLevel
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Button for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cooked – Recipe Management
Vulnerability: Authenticated (Contributor+) HTML Injection
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: SEO Plugin by Squirrly SEO
Vulnerability: Authenticated (Contributor+) SQL Injection via url Parameter
Patched Version: 12.3.20
Recommended Action: Update to version 12.3.20, or a newer patched version
Plugin: Meks Video Importer
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Events Calendar for Google
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Fast Total Search – The Power of Indexed Search
Vulnerability: Missing Authorization
Patched Version: 1.69.234
Recommended Action: Update to version 1.69.234, or a newer patched version
Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode
Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CodePen Embedded Pens Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version
Plugin: Addonify – Quick View For WooCommerce
Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: 1.2.17
Recommended Action: Update to version 1.2.17, or a newer patched version
Plugin: WP Announcement | Dynamic Announcement, Banner, & Countdown Timer for Effective Promotions
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version
Plugin: Admin Dashboard RSS Feed
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YITH Essential Kit for WooCommerce #1
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation
Patched Version: 2.35.0
Recommended Action: Update to version 2.35.0, or a newer patched version
Plugin: Zoho CRM Lead Magnet
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.8.9
Recommended Action: Update to version 1.7.8.9, or a newer patched version
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.6.6
Recommended Action: Update to version 5.6.6, or a newer patched version
Plugin: AI ChatBot for WordPress – WPBot
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.5.8
Recommended Action: Update to version 5.5.8, or a newer patched version
Plugin: YITH WooCommerce Ajax Product Filter
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.2.0
Recommended Action: Update to version 5.2.0, or a newer patched version
Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Vulnerability: Authenticated (Subscriber+) Arbitrary File Read to Arbitrary File Creation
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version
Plugin: FormLift for Infusionsoft Web Forms
Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.5.18
Recommended Action: Update to version 7.5.18, or a newer patched version
Plugin: iPanorama 360 – Advanced Virtual Tour Builder
Vulnerability: Missing Authorization
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version
Plugin: FV Flowplayer Video Player
Vulnerability: Authenticated (Subscriber+) SQL Injection via exclude Parameter
Patched Version: 7.5.47.7212
Recommended Action: Update to version 7.5.47.7212, or a newer patched version
Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.12.10
Recommended Action: Update to version 3.12.10, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version
Plugin: UiPress lite | Effortless custom dashboards, admin themes and pages
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.4.07
Recommended Action: Update to version 3.4.07, or a newer patched version
Plugin: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells
Vulnerability: Missing Authorization to Authenticated (Contributor+) Settings Update
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version
Plugin: Social Auto Poster
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version
Plugin: WP Affiliate Platform
Vulnerability: Reflected Cross-Site Scripting via Affiliate Editing
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
Plugin: Get Use APIs – JSON Content Importer
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: AI Engine
Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version
Plugin: CM WordPress Search And Replace Plugin
Vulnerability: Cross-Site Request Forgery to Plugin Setting Reset
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version
Plugin: Ultimate Addons for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.19.20.1
Recommended Action: Update to version 3.19.20.1, or a newer patched version
Plugin: PayPlus Payment Gateway
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 7.0.8
Recommended Action: Update to version 7.0.8, or a newer patched version
Plugin: Meks Video Importer
Vulnerability: Missing Authorization to Authenticated (Subscriber+) API Keys Modification
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version
Plugin: Search & Filter Pro
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.18
Recommended Action: Update to version 2.5.18, or a newer patched version
Plugin: Qi Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version
Plugin: CTX Feed – WooCommerce Product Feed Manager
Vulnerability: Authenticated (Shop Manager+) Arbitrary Options Update
Patched Version: 6.5.7
Recommended Action: Update to version 6.5.7, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Missing Authorization
Patched Version: 4.0.5
Recommended Action: Update to version 4.0.5, or a newer patched version
Plugin: Change From Email
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP eStore
Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 8.5.6
Recommended Action: Update to version 8.5.6, or a newer patched version
Plugin: Moloni
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.8.0
Recommended Action: Update to version 4.8.0, or a newer patched version
Plugin: Matomo Analytics – Ethical Stats. Powerful Insights.
Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Missing Authentication to MailChimp API key update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More
Vulnerability: Missing Authorization
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Getwid – Gutenberg Blocks
Vulnerability: Missing Authorization to Google API key update
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version
Plugin: WP Affiliate Platform
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
