Watch Out Wednesday – July 3, 2024

Home » Watch Out Wednesday – July 3, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Multiple Blocks
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: AWSM Team – Team Showcase Plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: XStore Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Cost Calculator Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.56
Recommended Action: Update to version 1.2.56, or a newer patched version

Plugin: WP Chat App

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Missing Authorization to Unauthenticated User Registration Bypass
Patched Version: 4.2.6.8.2
Recommended Action: Update to version 4.2.6.8.2, or a newer patched version

Plugin: XStore Core

Vulnerability: Unauthenticated SQL Injection
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Login with phone number

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.36
Recommended Action: Update to version 1.7.36, or a newer patched version

Plugin: Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Wheel of Life: Coaching and Assessment Tool for Life Coach

Vulnerability: Missing Authorization on Several AJAX Endpoints
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Unauthenticated Denial of Service
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Advanced Post List

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.5.6.2
Recommended Action: Update to version 0.5.6.2, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Page and Post Clone

Vulnerability: Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure
Patched Version: 6.1
Recommended Action: Update to version 6.1, or a newer patched version

Plugin: SULly

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Website Content in Page or Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2024.04.09
Recommended Action: Update to version 2024.04.09, or a newer patched version

Plugin: Snippet Shortcodes

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated SQL Injection via unsubscribe
Patched Version: 5.7.26
Recommended Action: Update to version 5.7.26, or a newer patched version

Plugin: Restrict for Elementor

Vulnerability: Protection Mechanism Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Tags
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Newspack Blocks

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Advanced Custom Fields Pro

Vulnerability: Missing Authorization
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: WP Directory Kit

Vulnerability: Authenticated (Admin+) HTML Injection
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Unauthenticated Limited Privilege Escalation to Instructor
Patched Version: 3.3.24
Recommended Action: Update to version 3.3.24, or a newer patched version

Plugin: Tournamatch

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Unauthenticated Arbitrary SQL Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ArtPlacer Widget

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.21.2
Recommended Action: Update to version 2.21.2, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.43
Recommended Action: Update to version 1.5.43, or a newer patched version

Plugin: CRM Perks Forms – WordPress Form Builder

Vulnerability: Missing Authorization to Unauthenticated Form Submission
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Church Admin

Vulnerability: Missing Authorization
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Prayer

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: Restaurant Reservations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Consulting Elementor Widgets

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Elementor Website Builder Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.21.3
Recommended Action: Update to version 3.21.3, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Missing Authorization
Patched Version: 4.8.2
Recommended Action: Update to version 4.8.2, or a newer patched version

Plugin: Interactive Content – H5P

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.15.8
Recommended Action: Update to version 1.15.8, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: Consulting Elementor Widgets

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Newspack Campaigns

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.31.2
Recommended Action: Update to version 2.31.2, or a newer patched version

Plugin: Defender Security – Malware Scanner, Login Security & Firewall

Vulnerability: Missing Authorization
Patched Version: 4.7.3
Recommended Action: Update to version 4.7.3, or a newer patched version

Plugin: Shortcodes by United Themes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Spotify Play Button

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Widgets
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Stock Ticker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode
Patched Version: 3.24.6
Recommended Action: Update to version 3.24.6, or a newer patched version

Plugin: Void Contact Form 7 Widget For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via cf7_redirect_page Attribute
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Newspack Blocks

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Video Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Uncanny Toolkit Pro for LearnDash

Vulnerability: Missing Authorization to Arbitrary Page/Post Duplication
Patched Version: 4.1.4.1
Recommended Action: Update to version 4.1.4.1, or a newer patched version

Plugin: OpenPGP Form Encryption for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 3.4.0
Recommended Action: Update to version 3.4.0, or a newer patched version

Plugin: Rife Elementor Extensions & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.1.12
Recommended Action: Update to version 3.1.12, or a newer patched version

Plugin: Easy Table of Contents

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.66
Recommended Action: Update to version 2.0.66, or a newer patched version

Plugin: WP Photo Album Plus

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.8.00.003
Recommended Action: Update to version 8.8.00.003, or a newer patched version

Plugin: Page Builder Sandwich – Front End WordPress Page Builder Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: 1.8.26
Recommended Action: Update to version 1.8.26, or a newer patched version

Plugin: Beaver Builder Addons by WPZOOM

Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Unauthenticated SQL Injection via ‘uwp_sort_by’
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Elegant Themes Icons

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Easy Age Verify

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.3
Recommended Action: Update to version 1.8.3, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: DImage 360

Plugin: Kadence Blocks Pro

Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: PayPlus Payment Gateway

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.6.9
Recommended Action: Update to version 6.6.9, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.0.5
Recommended Action: Update to version 9.0.5, or a newer patched version

Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via galleryID and className Parameters
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Newspack Content Converter

Vulnerability: Missing Authorization
Patched Version: 1.0.0
Recommended Action: Update to version 1.0.0, or a newer patched version

Plugin: XStore Core

Vulnerability: Authenticated (Subscriber+) Limited Arbitrary File Upload
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title tag attribute
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: Woffice Core

Vulnerability: Missing Authorization
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Patreon WordPress

Vulnerability: Protection Mechanism Bypass
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: Simple Photoswipe

Vulnerability: Missing Authorization (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: XStore Core

Vulnerability: Missing Authorization
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.8
Recommended Action: Update to version 4.9.8, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Unauthenticated Insecure Direct Object Reference to Order Status Update
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Easy Google Maps

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.11.16
Recommended Action: Update to version 1.11.16, or a newer patched version

Plugin: AI Power: Complete AI Pack

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.67
Recommended Action: Update to version 1.8.67, or a newer patched version

Plugin: WP Job Manager – Resume Manager

Vulnerability: Resume Manager <= 2.1.0
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Vimeography: Vimeo Video Gallery WordPress Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version

Plugin: Laybuy Payment Extension for WooCommerce

Plugin: Demo Awesome

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: PZ Frontend Manager

Vulnerability: Cross-Site Request Forgery to Profile Picture Update
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Auto Featured Image

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Maps – Display Google Maps Perfectly with Ease

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 4.6.2
Recommended Action: Update to version 4.6.2, or a newer patched version

Plugin: Community Events

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Name: CM E-Mail Registration Blacklist

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Bootstrap Elements for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.4.3
Recommended Action: Update to version 1.4.3, or a newer patched version

Plugin: Request a Quote

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: WP Blog Post Layouts

Vulnerability: Authenticated (Contributor+) Local File Inlcusion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Newspack Blocks

Vulnerability: Authenticated (Contributor+) Arbitrary Directory Deletion
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: JW Player for WordPress

Vulnerability: Missing Authorization
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Category Editing
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.9
Recommended Action: Update to version 3.1.9, or a newer patched version

Plugin: Newspack Newsletters

Vulnerability: Missing Authorization
Patched Version: 2.13.3
Recommended Action: Update to version 2.13.3, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Demo Awesome

Vulnerability: Missing Authorization
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.32
Recommended Action: Update to version 3.32, or a newer patched version

Plugin: Masterstudy Elementor Widgets

Vulnerability: Missing Authorization
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: Export WP Page to Static HTML/CSS

Vulnerability: Open Redirect
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.7
Recommended Action: Update to version 2.1.7, or a newer patched version

Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Plugin: E2Pdf – Export Pdf Tool for WordPress

Vulnerability: Missing Authorization
Patched Version: 1.23.00
Recommended Action: Update to version 1.23.00, or a newer patched version

Plugin: WP QuickLaTeX

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: Download Attachments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Motors – Car Dealer, Classifieds & Listing

Vulnerability: Missing Authorization
Patched Version: 1.4.11
Recommended Action: Update to version 1.4.11, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Extensions for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Patched Version: 2.0.31
Recommended Action: Update to version 2.0.31, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version

Plugin: EmbedSocial – Social Media Feeds, Reviews and Galleries

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Empty Cart Button for WooCommerce

Plugin: Mailster – Email Newsletter Plugin for WordPress

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0.10
Recommended Action: Update to version 4.0.10, or a newer patched version

Plugin: Sketchfab Embed

Plugin: Loco Translate

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization
Patched Version: 5.8.8
Recommended Action: Update to version 5.8.8, or a newer patched version

Plugin: Zita Elementor Site Library

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: IP Address Spoofing to Denial of Service
Patched Version: 9.3.2
Recommended Action: Update to version 9.3.2, or a newer patched version

Plugin: Hercules Core

Vulnerability: Missing Authorization to Settings Update
Patched Version: 6.7
Recommended Action: Update to version 6.7, or a newer patched version

Plugin: XStore Core

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Squeeze

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version

Plugin: PayPlus Payment Gateway

Vulnerability: Unauthenticated SQL Injection
Patched Version: 6.6.9
Recommended Action: Update to version 6.6.9, or a newer patched version

Plugin: Kanban Boards for WordPress

Plugin: Falang multilanguage for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.52
Recommended Action: Update to version 1.3.52, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.9
Recommended Action: Update to version 6.4.9, or a newer patched version

Plugin: Filter & Grids

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.8.33
Recommended Action: Update to version 2.8.33, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: WPAdverts – Classifieds Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: ArtPlacer Widget

Vulnerability: Missing Authorization to Widget Deletion
Patched Version: 2.21.2
Recommended Action: Update to version 2.21.2, or a newer patched version

Plugin: Bug Library

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Cards for Beaver Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: HTML Forms – Simple WordPress Forms Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.33
Recommended Action: Update to version 1.3.33, or a newer patched version

Plugin: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.27.1
Recommended Action: Update to version 3.27.1, or a newer patched version

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Missing Authorization
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Customer Editing
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated Bypass to User Registration
Patched Version: 4.2.6.8.2
Recommended Action: Update to version 4.2.6.8.2, or a newer patched version

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: User Rights Access Manager

Plugin: Uploadcare File Uploader and Adaptive Delivery (beta)

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: Hide My WP Ghost – Security & Firewall

Vulnerability: Login Page Disclosure
Patched Version: 5.2.02
Recommended Action: Update to version 5.2.02, or a newer patched version

Plugin: XStore Core

Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Simple Video Directory

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Index WP MySQL For Speed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.18
Recommended Action: Update to version 1.4.18, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: File Manager

Vulnerability: Missing Authorization
Patched Version: 7.2.8
Recommended Action: Update to version 7.2.8, or a newer patched version

Plugin: PowerPack Lite for Beaver Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.3.0.5
Recommended Action: Update to version 1.3.0.5, or a newer patched version

Plugin: Page Builder Sandwich – Front End WordPress Page Builder Plugin

Plugin: Progress Planner

Vulnerability: Missing Authorization
Patched Version: 0.9.2
Recommended Action: Update to version 0.9.2, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.7.14
Recommended Action: Update to version 6.7.14, or a newer patched version

Plugin: SULly

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.36
Recommended Action: Update to version 1.6.36, or a newer patched version

Plugin: FS Poster – WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest]

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Uncanny Automator Pro

Vulnerability: Missing Authorization to Unauthenticated License Setting Reset
Patched Version: 5.3.0.1
Recommended Action: Update to version 5.3.0.1, or a newer patched version

Plugin: Uncanny Toolkit Pro for LearnDash

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.1.4.1
Recommended Action: Update to version 4.1.4.1, or a newer patched version

Plugin: NextScripts: Social Networks Auto-Poster

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Kimili Flash Embed

Plugin: Newspack Ads

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.47.2
Recommended Action: Update to version 1.47.2, or a newer patched version

Plugin: License Manager for WooCommerce

Vulnerability: Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Unauthenticated Open Redirect
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: Canto

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Newspack Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.13.3
Recommended Action: Update to version 2.13.3, or a newer patched version

Plugin: WP-Lister Lite for Amazon

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.6.17
Recommended Action: Update to version 2.6.17, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: Create by Mediavine

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Schema Meta Shortcode
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: Advanced File Manager

Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 5.2.5
Recommended Action: Update to version 5.2.5, or a newer patched version

Plugin: Post Meta Data Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Footer Contacts Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Photo Gallery by Ays – Responsive Image Gallery

Vulnerability: Authenticated (Administrator+) HTML Injection
Patched Version: 5.7.1
Recommended Action: Update to version 5.7.1, or a newer patched version

Plugin: Transition Slider – Responsive Image Slider and Gallery

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Mega Elements – Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Missing Authorization
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: SULly

Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Email Verification Bypass due to Insufficient Randomness
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Plugin: CM Pop-Up Banners for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Chained Quiz

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.3.2.9
Recommended Action: Update to version 1.3.2.9, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contibutor+) Stored Cross-Site Scripting via Card Widget
Patched Version: 2.6.9.9
Recommended Action: Update to version 2.6.9.9, or a newer patched version

Plugin: Simple Newsletter Plugin – Noptin

Vulnerability: Missing Authorization to Unauthenticated Form Submission
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Video Player Widget Settings
Patched Version: 2.5.6
Recommended Action: Update to version 2.5.6, or a newer patched version

Plugin: Consulting Elementor Widgets

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version

Plugin: ActiveDEMAND

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.44
Recommended Action: Update to version 0.2.44, or a newer patched version

Plugin: Portfolio Gallery – Image Gallery Plugin

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: Blogmentor – Blog Layouts for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via pagination_style Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.219
Recommended Action: Update to version 1.0.219, or a newer patched version

Plugin: PowerPack Lite for Beaver Builder

Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: 1.3.0.4
Recommended Action: Update to version 1.3.0.4, or a newer patched version

Plugin: Woocommerce Customers Order History

Plugin: XStore Core

Vulnerability: Authenticated (Subscriber+) Limited Arbitrary File Download
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Shortcodes Ultimate Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.1.5
Recommended Action: Update to version 7.1.5, or a newer patched version

Plugin: The Ultimate WordPress Toolkit – WP Extended

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Property Hive

Vulnerability: Missing Authorization
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: XStore Core

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
Patched Version: 5.9.10
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.10, 6.0.9, 6.1.7, 6.2.6, 6.3.5, 6.4.5, 6.5.5

Plugin: Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker and Tag Cloud)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Social Count (Static) Widget
Patched Version: 3.11.8
Recommended Action: Update to version 3.11.8, or a newer patched version

Plugin: Cowidgets – Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via heading_tag Parameter
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Floating Social Buttons

Plugin: TrustedLogin Vendor

Vulnerability: Unauthenticated Information Disclosure
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: WP Job Manager – Resume Manager

Vulnerability: Resume Manager <= 2.1.0
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Admin+) Path Traversal
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Newspack Blocks

Vulnerability: Missing Authorization
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Tournamatch

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Discount Editing
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode

Plugin: Progress Planner

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 0.9.3
Recommended Action: Update to version 0.9.3, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
Patched Version: 3.2.46
Recommended Action: Update to version 3.2.46, or a newer patched version

Plugin: SULly

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Embed Peertube Playlist

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Consulting Elementor Widgets

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: PixelYourSite – Your smart PIXEL (TAG) & API Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.6.2
Recommended Action: Update to version 9.6.2, or a newer patched version

Plugin: WP Mobile Menu – The Mobile-Friendly Responsive Menu

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.8.4.4
Recommended Action: Update to version 2.8.4.4, or a newer patched version

Plugin: Tabs – Responsive Tabs with WooCommerce Product Tab Extension

Plugin: SVG Block

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.1.20
Recommended Action: Update to version 1.1.20, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Titles
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 0.1.0.39
Recommended Action: Update to version 0.1.0.39, or a newer patched version

Plugin: Easy Image Collage

Vulnerability: Missing Authorization to Authenticated (Contributor+) Data Clearance
Patched Version: 1.13.6
Recommended Action: Update to version 1.13.6, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.18
Recommended Action: Update to version 3.18, or a newer patched version

Plugin: Frontend Checklist

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Items
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Uncanny Automator Pro

Vulnerability: Cross-Site Request Forgery to License Setting Reset
Patched Version: 5.3.0.1
Recommended Action: Update to version 5.3.0.1, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.5.43
Recommended Action: Update to version 1.5.43, or a newer patched version

Plugin: IdeaPush

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 8.66
Recommended Action: Update to version 8.66, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Unauthenticated Information Exposure via Log File
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: HTML5 Audio Player- Best WordPress Audio Player Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.24
Recommended Action: Update to version 2.2.24, or a newer patched version

Plugin: Advanced Custom Fields Pro

Vulnerability: Missing Authorization
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via read_more_text Parameter
Patched Version: 3.5.6
Recommended Action: Update to version 3.5.6, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Cross-Site Request Forgery
Patched Version: 16.26.7
Recommended Action: Update to version 16.26.7, or a newer patched version

Plugin: SuperSaaS – online appointment scheduling

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: Frontend Checklist

Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: IdeaPush

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 8.61
Recommended Action: Update to version 8.61, or a newer patched version

Plugin: Ibtana – WordPress Website Builder

Vulnerability: WordPress Website Builder <= 1.2.3.3
Patched Version: 1.2.3.4
Recommended Action: Update to version 1.2.3.4, or a newer patched version

Plugin: Muslim Prayer Time BD – Prayer Reminder for Bangladesh

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Ultimate Addons for Elementor

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 1.36.32
Recommended Action: Update to version 1.36.32, or a newer patched version

Plugin: Simple Photoswipe

Plugin: Prayer

Vulnerability: Cross-Site Request Forgery to Email Settings Update
Patched Version: 2.4.8
Recommended Action: Update to version 2.4.8, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: No subtitle
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: Stackable – Page Builder Gutenberg Blocks

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.13.2
Recommended Action: Update to version 3.13.2, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Support SVG – Upload svg files in wordpress without hassle

Vulnerability: Authenticated (Author+) Stored Cross-site Scripting via SVG
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.4
Recommended Action: Update to version 2.4.3.4, or a newer patched version

Plugin: All-in-One Addons for Elementor – WidgetKit

Vulnerability: Missing Authorization to Notice Dismissal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Affiliate Links

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Settings Reset
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 10.0
Recommended Action: Update to version 10.0, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Uncanny Toolkit Pro for LearnDash

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.4.1
Recommended Action: Update to version 4.1.4.1, or a newer patched version

Plugin: Business Directory Plugin – Easy Listing Directories for WordPress

Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 6.4.4
Recommended Action: Update to version 6.4.4, or a newer patched version

Plugin: WooCommerce

Vulnerability: Authenticated (Shop Manager+) Content Injection
Patched Version: 9.0.0
Recommended Action: Update to version 9.0.0, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Unauthenticated Sensitive Information Exposure via Logs
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Woffice Core

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.4.9
Recommended Action: Update to version 5.4.9, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via URLs
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Arbitrary SVG Download
Patched Version: 3.22.2
Recommended Action: Update to version 3.22.2, or a newer patched version

Plugin: Slideshow SE

Vulnerability: Authenticated (Author+) Limited Local File Inclusion
Patched Version: 2.5.18
Recommended Action: Update to version 2.5.18, or a newer patched version

Plugin: WP QuickLaTeX

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.8
Recommended Action: Update to version 3.8.8, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion via ‘progress_type’
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: WP eStore

Vulnerability: Cross-Site Request Forgery to Coupon Deletion
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: SEO SIMPLE PACK

Vulnerability: Information Exposure
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce <= 7.1.0
Patched Version: 7.1.1
Recommended Action: Update to version 7.1.1, or a newer patched version

Plugin: Typing Text

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Super Testimonials

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in Google Maps Widget
Patched Version: 3.2.43
Recommended Action: Update to version 3.2.43, or a newer patched version

Plugin: WP Tweet Walls

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: Email Before Download

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.9.8
Recommended Action: Update to version 6.9.8, or a newer patched version

Plugin: PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via section title tag
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version

Plugin: Cost Calculator Builder

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: WP Lightbox 2

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.0.6.7
Recommended Action: Update to version 3.0.6.7, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.