Watch Out Wednesday – July 31, 2024

Home » Watch Out Wednesday – July 31, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Add Admin CSS

Vulnerability: Unauthenticated Full Path Dislcosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Passster – Password Protect Pages and Content

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 4.2.6.3
Recommended Action: Update to version 4.2.6.3, or a newer patched version

Plugin: Complianz – GDPR/CCPA Cookie Consent

Vulnerability: Authenticated(Administrator+) Stored Cross-site Scripting via settings
Patched Version: 6.5.6
Recommended Action: Update to version 6.5.6, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross-Site Request Forgery to Settings Update in enableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Information Exposure via Meta Description
Patched Version: 4.5.13
Recommended Action: Update to version 4.5.13, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: Manage Notification E-mails

Vulnerability: Missing Authorization
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: Elementor Addons by Livemesh

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.3.2
Recommended Action: Update to version 8.3.2, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 18.5.10
Recommended Action: Update to version 18.5.10, or a newer patched version

Plugin: Happy Addons for Elementor Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.10.0
Recommended Action: Update to version 2.10.0, or a newer patched version

Plugin: IgnitionDeck Crowdfunding Platform

Vulnerability: Missing Authorization
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Backup Migration

Vulnerability: Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Cross-Site Request Forgery via categorifyAjaxDeleteCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: Display custom fields in the frontend – Post and User Profile Fields

Vulnerability: Insecure Direct Object Reference to Authenticated (Contributor+) Post Meta Disclosure
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Translate WordPress with ConveyThis

Vulnerability: Unauthenticated Stored Cross-Site Scripting via api_key
Patched Version: 224
Recommended Action: Update to version 224, or a newer patched version

Plugin: Category Posts Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.9.17
Recommended Action: Update to version 4.9.17, or a newer patched version

Plugin: Simple Job Board

Vulnerability: Missing Authorization to Unauthenticated Information Disclosure
Patched Version: 2.11.0
Recommended Action: Update to version 2.11.0, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: Backup Migration

Vulnerability: Unauthenticated Path Traversal to Arbitrary File Deletion
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Tutor LMS – Migration Tool

Vulnerability: Missing Authorization in tutor_import_from_xml
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AI Engine

Vulnerability: Authenticated(Editor+) Arbitrary File Upload via add_image_from_url
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: Login by Auth0

Vulnerability: Reflected Cross-Site Scripting via wle
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Tutor LMS – Migration Tool

Vulnerability: Missing Authorization in tutor_lp_export_xml
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Fast Total Search – The Power of Indexed Search

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.70.236
Recommended Action: Update to version 1.70.236, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 7.0.2
Recommended Action: Update to version 7.0.2, or a newer patched version

Plugin: Flipbox Builder

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: (Simply) Guest Author Name

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.35
Recommended Action: Update to version 4.35, or a newer patched version

Plugin: Starbox – the Author Box for Humans

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Display Name and Social Settings
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Wrapper Link Widget
Patched Version: 4.10.17
Recommended Action: Update to version 4.10.17, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 2.9.4
Recommended Action: Update to version 2.9.4, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘group_tag’
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Add Admin JavaScript

Plugin: Chatbot with ChatGPT WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 5.30.10
Recommended Action: Update to version 5.30.10, or a newer patched version

Plugin: The Moneytizer

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 10.0.1
Recommended Action: Update to version 10.0.1, or a newer patched version

Plugin: Meks Easy Ads Widget

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.9
Recommended Action: Update to version 2.0.9, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Missing Authorization to Settings Update in enableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

Vulnerability: Insecure Direct Object Reference to Sensitve Information Exposure via Shortcode
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: 5280 Bootstrap Modal Contact Form

Vulnerability: Cross-Site Request Forgery to Bulk Delete Messages
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: File Manager

Vulnerability: Sensitive Information Exposure via Backup Filenames
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Vulnerability: Cross-Site Request Forgery (CSRF) via sfs_process
Patched Version: 2024.5
Recommended Action: Update to version 2024.5, or a newer patched version

Plugin: WPFront Notification Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]
Patched Version: 3.4
Recommended Action: Update to version 3.4, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Vulnerability: Custom Content Types and Fields
Patched Version: 2.7.31.2
Recommended Action: Update to one of the following versions, or a newer patched version: 2.7.31.2, 2.8.23.2, 2.9.19.2, 3.0.10.2

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization via openai_file_list_callback
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Missing Authorization in categorifyAjaxAddCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 23.1.3
Recommended Action: Update to version 23.1.3, or a newer patched version

Plugin: GEO my WP

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.5.0.2
Recommended Action: Update to version 4.5.0.2, or a newer patched version

Plugin: File Manager Pro

Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version

Plugin: FeedWordPress

Vulnerability: Insecure Direct Object Referece
Patched Version: 2024.0428
Recommended Action: Update to version 2024.0428, or a newer patched version

Plugin: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Vulnerability: Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options
Patched Version: 3.2.7
Recommended Action: Update to version 3.2.7, or a newer patched version

Plugin: Starbox – the Author Box for Humans

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Backuply – Backup, Restore, Migrate and Clone

Vulnerability: Backup, Restore, Migrate and Clone <= 1.2.6
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Reflected Cross-Site Scripting via Referer
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Command Injection
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source
Patched Version: 4.23.6
Recommended Action: Update to version 4.23.6, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Insecure Direct Object Reference to Information Disclosure
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version

Plugin: 10Web AI Assistant – AI content writing assistant

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Link Wrapper
Patched Version: 4.0.18
Recommended Action: Update to version 4.0.18, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update
Patched Version: 3.10.9
Recommended Action: Update to version 3.10.9, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields
Patched Version: 2.10.27
Recommended Action: Update to version 2.10.27, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated(Contributor+) Remote Code Execution via template import
Patched Version: 1.5.91
Recommended Action: Update to version 1.5.91, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Missing Authorization via purchased_new_products
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Stripe Payment Plugin for WooCommerce

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.8.0
Recommended Action: Update to version 3.8.0, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.2
Recommended Action: Update to version 3.10.2, or a newer patched version

Plugin: GP Unique ID

Vulnerability: Unauthenticated Form Submission Unique ID Modification
Patched Version: 1.5.6
Recommended Action: Update to version 1.5.6, or a newer patched version

Plugin: Registrations for the Events Calendar – Event Registration Plugin

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.12.3
Recommended Action: Update to version 2.12.3, or a newer patched version

Plugin: Piotnet Addons For Elementor

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 2.4.30
Recommended Action: Update to version 2.4.30, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.88.14
Recommended Action: Update to version 2.88.14, or a newer patched version

Plugin: WP 404 Auto Redirect to Similar Post

Vulnerability: Reflected Cross-Site Scripting via Debug Mode URI
Patched Version: 1.0.5
Recommended Action: Update to version 1.0.5, or a newer patched version

Plugin: Custom Twitter Feeds – A Tweets Widget or X Feed Widget

Vulnerability: Cross-Site Request Forgery to Plugin Options Update
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: Meta Box

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.3
Recommended Action: Update to version 5.9.3, or a newer patched version

Plugin: WP Booking Calendar

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via bookingform Shortcode
Patched Version: 10.2.2
Recommended Action: Update to version 10.2.2, or a newer patched version

Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend

Vulnerability: Missing Authorization via get_form_fields
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Custom post types, Custom Fields & more

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross-Site Request Forgery to Plugin Data Removal in reinitialize
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Responsive Touch Slider <= 3.9.9
Patched Version: 3.9.10
Recommended Action: Update to version 3.9.10, or a newer patched version

Plugin: Matomo Analytics – Ethical Stats. Powerful Insights.

Vulnerability: Reflected Cross-Site Scripting via idsite
Patched Version: 5.0.1
Recommended Action: Update to version 5.0.1, or a newer patched version

Plugin: Advanced iFrame

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2024.0
Recommended Action: Update to version 2024.0, or a newer patched version

Plugin: WP GoToWebinar

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 15.8
Recommended Action: Update to version 15.8, or a newer patched version

Plugin: InfiniteWP Client

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.12.3.1
Recommended Action: Update to version 1.12.3.1, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.240
Recommended Action: Update to version 1.0.240, or a newer patched version

Plugin: Display custom fields in the frontend – Post and User Profile Fields

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via vg_display_data
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.2
Recommended Action: Update to version 3.8.2, or a newer patched version

Plugin: WPForms Pro

Vulnerability: 1.8.5.3
Patched Version: 1.8.5.4
Recommended Action: Update to version 1.8.5.4, or a newer patched version

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via metabox
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization via openai_file_upload_callback
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend

Vulnerability: Cross-Site Request Forgery via create_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Backup Migration

Vulnerability: Unauthenticated Remote Code Execution
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version

Plugin: Simple Membership

Vulnerability: Reflected Cross-Site Scripting Vulnerability via environment_mode
Patched Version: 4.3.9
Recommended Action: Update to version 4.3.9, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Missing Authorization via Multiple Functions
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Missing Authorization via API
Patched Version: 2.12.6
Recommended Action: Update to version 2.12.6, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version

Plugin: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Mobile-Friendly Image Gallery <= 1.8.19
Patched Version: 1.8.20
Recommended Action: Update to version 1.8.20, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version

Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend

Vulnerability: Missing Authorization via save_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Unauthenticated Second Order SQL Injection
Patched Version: 3.7.2
Recommended Action: Update to version 3.7.2, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Missing Authorization to Plugin Data Removal in reinitialize
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: WP Mobile Menu – The Mobile-Friendly Responsive Menu

Vulnerability: Missing Authorization to _mobmenu_icon Post Meta Modification
Patched Version: 2.8.5
Recommended Action: Update to version 2.8.5, or a newer patched version

Plugin: EasyAzon – Amazon Associates Affiliate Plugin

Vulnerability: Reflected Cross-Site Scripting via easyazon-cloaking-locale
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery via remove_from_wishlist
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Missing Authorization to Settings Modification
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Missing Authorization to Gallery Modification via envira_gallery_insert_images
Patched Version: 1.8.7.3
Recommended Action: Update to version 1.8.7.3, or a newer patched version

Plugin: Qi Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.8
Recommended Action: Update to version 1.6.8, or a newer patched version

Plugin: PPWP – Password Protect Pages

Vulnerability: Protection Mechanism Bypass
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: MW WP Form

Vulnerability: Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
Patched Version: 5.0.4
Recommended Action: Update to version 5.0.4, or a newer patched version

Plugin: Beaver Themer

Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via shortcode
Patched Version: 1.4.9.1
Recommended Action: Update to version 1.4.9.1, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image URl
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: Internal Link Juicer: SEO Auto Linker for WordPress

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.23.5
Recommended Action: Update to version 2.23.5, or a newer patched version

Plugin: Edubin

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cookie Information | Free GDPR Consent Solution

Vulnerability: Authenticated (Subscriber+) Arbitrary Options Update
Patched Version: 2.0.23
Recommended Action: Update to version 2.0.23, or a newer patched version

Plugin: Affiliates Manager

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.9.35
Recommended Action: Update to version 2.9.35, or a newer patched version

Plugin: WP EasyPay – Create Your Payment Forms to Pay with Square – Square for WordPress Plugin: Integrate Square with WordPress to Collect Payments

Vulnerability: Missing Authorization to Unauthenticated Service Disconnection
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version

Plugin: Elementor Website Builder – More than Just a Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt
Patched Version: 3.19.0
Recommended Action: Update to version 3.19.0, or a newer patched version

Plugin: Gestpay for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) via ajax_unset_default_card
Patched Version: 20240307
Recommended Action: Update to version 20240307, or a newer patched version

Plugin: ArtiBot Free Chat Bot for WebSites

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Directory Traversal
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: WPC Smart Quick View for WooCommerce

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 4.0.3
Recommended Action: Update to version 4.0.3, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Missing Authorization in categorifyAjaxUpdateFolderPosition
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 3.4.9
Recommended Action: Update to version 3.4.9, or a newer patched version

Plugin: Automatic Translator with Google Translate

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via Custom Font
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Import and export users and customers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.24.4
Recommended Action: Update to version 1.24.4, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link
Patched Version: 1.5.97
Recommended Action: Update to version 1.5.97, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 6.7.1
Recommended Action: Update to version 6.7.1, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version

Plugin: Bold Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode
Patched Version: 5.0.3
Recommended Action: Update to version 5.0.3, or a newer patched version

Plugin: Customer Reviews for WooCommerce

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 5.38.10
Recommended Action: Update to version 5.38.10, or a newer patched version

Plugin: Easy!Appointments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Better Find and Replace

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.6.2
Recommended Action: Update to version 1.6.2, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Missing Authorization via atkp_import_product
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Insecure Direct Object Reference to Information Disclosure
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version

Plugin: Telegram Bot & Channel

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.

Vulnerability: Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting
Patched Version: 5.7.10
Recommended Action: Update to version 5.7.10, or a newer patched version

Plugin: Arconix FAQ

Vulnerability: Missing Authorization
Patched Version: 1.9.5
Recommended Action: Update to version 1.9.5, or a newer patched version

Plugin: Bulgarisation for WooCommerce

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version

Plugin: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Ready Function
Patched Version: 1.15.3
Recommended Action: Update to version 1.15.3, or a newer patched version

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.6.2
Recommended Action: Update to version 1.0.6.2, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Information Exposure to Potential Denial of Service
Patched Version: 9.0.35
Recommended Action: Update to version 9.0.35, or a newer patched version

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.0.1
Recommended Action: Update to version 7.0.1, or a newer patched version

Plugin: Mollie Forms

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication
Patched Version: 2.6.14
Recommended Action: Update to version 2.6.14, or a newer patched version

Plugin: Ultimate WordPress Auction Plugin

Vulnerability: Missing Authorization to Unauthenticated Email Creation
Patched Version: 4.2.8
Recommended Action: Update to version 4.2.8, or a newer patched version

Plugin: Author Box, Guest Author and Co-Authors for Your Posts – Molongui

Vulnerability: Information Exposure via ma_debug
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via icon_color
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Sensitive Information Exposure via purchased_products
Patched Version: 2.4.7
Recommended Action: Update to version 2.4.7, or a newer patched version

Plugin: AI Engine

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version

Plugin: Media.net Ads Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Shortcodes Plugin — Shortcodes Ultimate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version

Plugin: FancyBox for WordPress

Vulnerability: 3.3.3
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: WP Customer Area

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.2.3
Recommended Action: Update to version 8.2.3, or a newer patched version

Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce Clover Payment Gateway

Vulnerability: Missing Authorization via callback_handler
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Cross-Site Request Forgery via categorifyAjaxRenameCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Reflected Cross-Site Scripting.
Patched Version: 3.4.2.5
Recommended Action: Update to version 3.4.2.5, or a newer patched version

Plugin: JetWidgets for Elementor and WooCommerce

Vulnerability: Authenticated (Contributor+) Limited Local File Inclusion
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Vulnerability: Missing Authorization to Order Export
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Arconix Shortcodes

Vulnerability: Missing Authorization
Patched Version: 2.1.12
Recommended Action: Update to version 2.1.12, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via PDF View Widget
Patched Version: 3.11.3
Recommended Action: Update to version 3.11.3, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.86
Recommended Action: Update to version 3.2.86, or a newer patched version

Plugin: Related Posts for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.2
Recommended Action: Update to version 2.2.2, or a newer patched version

Plugin: ClickCease Click Fraud Protection

Vulnerability: Improper Authorization to sensitive information exposure via get_settings
Patched Version: 3.2.5
Recommended Action: Update to version 3.2.5, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross-Site Request Forgery to Settings Update in stopOptimizeAll
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: WP Meteor Website Speed Optimization Addon

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via onClick Events
Patched Version: 4.10.19
Recommended Action: Update to version 4.10.19, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Sensitive Information Exposure via API
Patched Version: 4.10.2
Recommended Action: Update to version 4.10.2, or a newer patched version

Plugin: Visual Composer Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 45.7.0
Recommended Action: Update to version 45.7.0, or a newer patched version

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Authenticated(Administator+) Stored Cross-Site Scripting via settings
Patched Version: 6.4.7
Recommended Action: Update to version 6.4.7, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Authenticated(Constibutor+) Stored Cross-Site Scripting via Custom Field Name
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Page Restrict

Vulnerability: Protection Mechanism Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: Security Optimizer – The All-In-One Protection Plugin

Vulnerability: Missing Authorization via hide_notice()
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: WP Reset – Most Advanced WordPress Reset Tool

Vulnerability: Sensitive Information Exposure due to Insufficient Randomness
Patched Version: 2.01
Recommended Action: Update to version 2.01, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Title
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Unauthenticated SQL Injection via order_by
Patched Version: 4.2.5.8
Recommended Action: Update to version 4.2.5.8, or a newer patched version

Plugin: PowerPack for Beaver Builder

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.33.1
Recommended Action: Update to version 2.33.1, or a newer patched version

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.8.2
Recommended Action: Update to version 1.0.8.2, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Cross-Site Request Forgery via categorifyAjaxUpdateFolderPosition
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Vulnerability: Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.3
Recommended Action: Update to version 5.9.3, or a newer patched version

Plugin: WP 404 Auto Redirect to Similar Post

Vulnerability: Reflected Cross-Site Scripting via request
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free)
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Zoho Marketing Automation

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Backuply – Backup, Restore, Migrate and Clone

Vulnerability: Authenticated (Administrator+) Directory Traversal
Patched Version: 1.2.4
Recommended Action: Update to version 1.2.4, or a newer patched version

Plugin: The Moneytizer

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 10.0.1
Recommended Action: Update to version 10.0.1, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Sensitive Information Exposure via assignments
Patched Version: 4.10.2
Recommended Action: Update to version 4.10.2, or a newer patched version

Plugin: Order Delivery Date for WP e-Commerce

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Meks Smart Social Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Recipe Notes
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Gestpay for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) via ajax_delete_card
Patched Version: 20240307
Recommended Action: Update to version 20240307, or a newer patched version

Plugin: EventPrime – Events Calendar, Bookings and Tickets

Vulnerability: Unauthenticated Booking Payment Bypass
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Reflected Cross-Site Scripting via msg
Patched Version: 2.8.7
Recommended Action: Update to version 2.8.7, or a newer patched version

Plugin: Getwid – Gutenberg Blocks

Vulnerability: Missing Authorization to Recaptcha API Key Modification
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Cross-Site Request Forgery via categorifyAjaxAddCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: Bug Library

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, Security+

Vulnerability: Sensitive Information Exposure via insufficiently protected files
Patched Version: 7.1.0
Recommended Action: Update to version 7.1.0, or a newer patched version

Plugin: Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages

Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Download Manager

Vulnerability: Missing Authorization
Patched Version: 3.2.85
Recommended Action: Update to version 3.2.85, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.2.98
Recommended Action: Update to version 3.2.98, or a newer patched version

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Error Message
Patched Version: 4.3.4
Recommended Action: Update to version 4.3.4, or a newer patched version

Plugin: Gestpay for WooCommerce

Vulnerability: Cross-Site Request Forgery (CSRF) via ajax_set_default_card
Patched Version: 20240307
Recommended Action: Update to version 20240307, or a newer patched version

Plugin: AI ChatBot for WordPress – WPBot

Vulnerability: Missing Authorization via openai_file_delete_callback
Patched Version: 5.3.6
Recommended Action: Update to version 5.3.6, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Unauthenticated Stored Cross-Site Scripting via device
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Authenticated(Contributor+) Information Exposure
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: LiteSpeed Cache

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.3
Recommended Action: Update to version 6.3, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: RomethemeForm For Elementor

Vulnerability: Missing Authorization via export_entries, rtformnewform, and rtformupdate
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Missing Authorization
Patched Version: 4.0.1
Recommended Action: Update to version 4.0.1, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Magazine Grid/Slider Widget
Patched Version: 1.3.981
Recommended Action: Update to version 1.3.981, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 6.11.2
Recommended Action: Update to version 6.11.2, or a newer patched version

Plugin: ArtiBot Free Chat Bot for WebSites

Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: Vimeography: Vimeo Video Gallery WordPress Plugin

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 2.3.3
Recommended Action: Update to version 2.3.3, or a newer patched version

Plugin: Magical Posts Display – Elementor Advanced Posts widgets

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.39
Recommended Action: Update to version 1.2.39, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.93
Recommended Action: Update to version 1.0.93, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Improper Authorization via woolentor_template_store
Patched Version: 2.8.2
Recommended Action: Update to version 2.8.2, or a newer patched version

Plugin: Oliver POS – A WooCommerce Point of Sale (POS)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.1.9
Recommended Action: Update to version 2.4.1.9, or a newer patched version

Plugin: Better Search Replace

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Advanced File Manager Shortcodes

Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: FOX – Currency Switcher Professional for WooCommerce

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 1.4.1.7
Recommended Action: Update to version 1.4.1.7, or a newer patched version

Plugin: Livemesh Addons for Beaver Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 3.7
Recommended Action: Update to version 3.7, or a newer patched version

Plugin: Comments Extra Fields For Post,Pages and CPT

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: WP Maintenance

Vulnerability: IP Spoofing to Maintenance Mode Bypass
Patched Version: 6.1.9.3
Recommended Action: Update to version 6.1.9.3, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Missing Authorization to Settings Update in optimizeAllOn
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: Limit Login Attempts Reloaded

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.25.27
Recommended Action: Update to version 2.25.27, or a newer patched version

Plugin: Advanced Woo Search

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.97
Recommended Action: Update to version 2.97, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Link Anything
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Admin Trim Interface

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AA Cash Calculator

Vulnerability: Reflected Cross-Site Scripting via invoice
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Share Buttons Adder

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via CSS Settings
Patched Version: 8.4.12
Recommended Action: Update to version 8.4.12, or a newer patched version

Plugin: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source
Patched Version: 4.23.5
Recommended Action: Update to version 4.23.5, or a newer patched version

Plugin: File Manager

Vulnerability: Directory Traversal
Patched Version: 7.2.2
Recommended Action: Update to version 7.2.2, or a newer patched version

Plugin: File Manager Pro

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Cross-Site Request Forgery to Subscriber Deletion
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Jeg Elementor Kit

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Elementor Widget URL Custom Attributes
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting via Contact Form Message Settings
Patched Version: 3.2.18
Recommended Action: Update to version 3.2.18, or a newer patched version

Plugin: Category Discount Woocommerce

Vulnerability: Missing Authorization via wpcd_save_discount()
Patched Version: 4.13
Recommended Action: Update to version 4.13, or a newer patched version

Plugin: Envo's Elementor Templates & Widgets for WooCommerce

Vulnerability: Missing Authorization via templates_ajax_request
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Custom fields shortcode

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Field Template

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scritping
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: VK Block Patterns

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.31.2.0
Recommended Action: Update to version 1.31.2.0, or a newer patched version

Plugin: GeneratePress Premium

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Clever Fox

Vulnerability: Missing Authorization to arbitrary theme activation via clever-fox-activate-theme
Patched Version: 25.2.1
Recommended Action: Update to version 25.2.1, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Missing Authorization and Nonce Exposure
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version

Plugin: Image SEO – AI-Driven Image SEO Optimizer

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 3.1.2
Recommended Action: Update to version 3.1.2, or a newer patched version

Plugin: Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Simple Sitemap – Create a Responsive HTML Sitemap

Vulnerability: Cross-Site Request Forgery via admin_notices
Patched Version: 3.5.14
Recommended Action: Update to version 3.5.14, or a newer patched version

Plugin: Duitku Payment Gateway

Vulnerability: Missing Authorization via check_duitku_response
Patched Version: 2.11.7
Recommended Action: Update to version 2.11.7, or a newer patched version

Plugin: Page Restriction WordPress (WP) – Protect WP Pages/Post

Vulnerability: Protection Mechanism Bypass
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Contact Form 7 – Dynamic Text Extension

Vulnerability: Insecure Direct Object Reference
Patched Version: 4.2.0
Recommended Action: Update to version 4.2.0, or a newer patched version

Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery via remove_from_compare
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version

Plugin: JSON API User

Vulnerability: Unauthenticated Privilege Escalation
Patched Version: 3.9.4
Recommended Action: Update to version 3.9.4, or a newer patched version

Plugin: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Tweet

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEO Plugin by Squirrly SEO

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 12.3.16
Recommended Action: Update to version 12.3.16, or a newer patched version

Plugin: Grow by Tradedoubler – Advertiser Plugin for WooCommerce

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: WP Recipe Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tag’
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Plugin for Google Reviews

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend

Vulnerability: Missing Authorization via create_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets)

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via settings
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.0.94
Recommended Action: Update to version 1.0.94, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 2.2.65
Recommended Action: Update to version 2.2.65, or a newer patched version

Plugin: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category, and more

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: WordPress Simple Shopping Cart

Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting
Patched Version: 4.7.2
Recommended Action: Update to version 4.7.2, or a newer patched version

Plugin: Import and export users and customers

Vulnerability: Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality
Patched Version: 1.24.3
Recommended Action: Update to version 1.24.3, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Missing Authorization in categorifyAjaxClearCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery to Level Orders Update
Patched Version: 2.12.8
Recommended Action: Update to version 2.12.8, or a newer patched version

Plugin: LearnDash LMS

Vulnerability: Sensitive Information Exposure via API
Patched Version: 4.10.3
Recommended Action: Update to version 4.10.3, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated(Contributor+) Server-Side Request Forgery (SSRF)
Patched Version: 3.2.12
Recommended Action: Update to version 3.2.12, or a newer patched version

Plugin: Cryptocurrency Widgets – Price Ticker & Coins List

Vulnerability: 2.6.5
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery via add_to_compare
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.97
Recommended Action: Update to version 1.0.97, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Cross-Site Request Forgery via categorifyAjaxClearCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery via add_to_wishlist
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version

Plugin: Backup Migration

Vulnerability: 1.3.9
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross-Site Request Forgery to Settings Update in disableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: Sticky Buttons – floating buttons builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 9.0.29
Recommended Action: Update to version 9.0.29, or a newer patched version

Plugin: CopySafe Web Protection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.0
Recommended Action: Update to version 4.0, or a newer patched version

Plugin: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder

Vulnerability: Missing Authorization
Patched Version: 2.6.9
Recommended Action: Update to version 2.6.9, or a newer patched version

Plugin: Intelligence

Plugin: Oliver POS – A WooCommerce Point of Sale (POS)

Vulnerability: Missing Authorization
Patched Version: 2.4.2.1
Recommended Action: Update to version 2.4.2.1, or a newer patched version

Plugin: PDF Generator For Fluent Forms – The Contact Form Plugin

Vulnerability: Cross-Site Scripting
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: WooCommerce – PDF Vouchers

Vulnerability: PDF Vouchers <= 4.9.3
Patched Version: 4.9.4
Recommended Action: Update to version 4.9.4, or a newer patched version

Plugin: Review Schema – Review & Structure Data Schema Plugin

Vulnerability: Missing Authorization to Arbitrary Review Update
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Beaver Themer

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.9.1
Recommended Action: Update to version 1.4.9.1, or a newer patched version

Plugin: WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More

Vulnerability: Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.8
Recommended Action: Update to version 6.8, or a newer patched version

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.2.6.9
Recommended Action: Update to version 4.2.6.9, or a newer patched version

Plugin: Campaign Monitor for WordPress

Vulnerability: Unauthenticated Full Path Disclosure
Patched Version: 2.8.16
Recommended Action: Update to version 2.8.16, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 9.7.7
Recommended Action: Update to version 9.7.7, or a newer patched version

Plugin: 2Checkout Payment Gateway for WooCommerce

Vulnerability: Missing Authorization via sniff_ins
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)

Vulnerability: Cross-Site Request Forgery to Sensitive Information Exposure
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit

Vulnerability: Automatic AI Content Writer <= 2.0.5
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version

Plugin: Bulgarisation for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 5.1.20
Recommended Action: Update to version 5.1.20, or a newer patched version

Plugin: aThemes Starter Sites

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Patched Version: 1.0.54
Recommended Action: Update to version 1.0.54, or a newer patched version

Plugin: Delete Custom Fields

Vulnerability: Cross-Site Request Forgery to Post Meta Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: iframe

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: AMP for WP – Accelerated Mobile Pages

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Patched Version: 1.0.92.1
Recommended Action: Update to version 1.0.92.1, or a newer patched version

Plugin: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

Vulnerability: Missing Authorization
Patched Version: 4.3.3
Recommended Action: Update to version 4.3.3, or a newer patched version

Plugin: Microsoft Clarity

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.9.4
Recommended Action: Update to version 0.9.4, or a newer patched version

Plugin: Google Analytics 4 (GA4), Google Ads, Meta Pixel, GTM & Multiple Pixels for Woocommerce & WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection via ee_syncProductCategory
Patched Version: 7.0.8
Recommended Action: Update to version 7.0.8, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Authenticated(Contributor+) Improper Authorization to Views Modification
Patched Version: 3.1.13
Recommended Action: Update to version 3.1.13, or a newer patched version

Plugin: Enable Media Replace

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.1.5
Recommended Action: Update to version 4.1.5, or a newer patched version

Plugin: Starbox – the Author Box for Humans

Vulnerability: Insecure Direct Object Reference
Patched Version: 3.4.8
Recommended Action: Update to version 3.4.8, or a newer patched version

Plugin: Insert PHP Code Snippet

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Missing Authorization in categorifyAjaxDeleteCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor

Vulnerability: Cross-Site Request Forgery via reset_form
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Calculated Fields Form

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.2.41
Recommended Action: Update to version 1.2.41, or a newer patched version

Plugin: EventON

Vulnerability: WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Cross-Site Request Forgery via save
Patched Version: 2.0.7
Recommended Action: Update to version 2.0.7, or a newer patched version

Plugin: YITH WooCommerce Gift Cards

Vulnerability: Missing Authorization to Unauthenticated WooCommerce Settings Update
Patched Version: 4.13.0
Recommended Action: Update to version 4.13.0, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Cross-Site Request Forgery to Settings Update in optimizeAllOn
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: WP Meta SEO

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Referer header
Patched Version: 4.5.13
Recommended Action: Update to version 4.5.13, or a newer patched version

Plugin: Shariff Wrapper

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version

Plugin: Bulk Edit Post Titles

Vulnerability: Missing Authorization via bulkUpdatePostTitles
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Insecure Direct Object Reference to Arbitrary Email Sending
Patched Version: 2.6.0
Recommended Action: Update to version 2.6.0, or a newer patched version

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Open Redirect via css
Patched Version: 6.20.02
Recommended Action: Update to version 6.20.02, or a newer patched version

Plugin: Backup Migration

Vulnerability: Authenticated (Admin+) OS Command Injection via url
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Comments Extra Fields For Post,Pages and CPT

Vulnerability: Missing Authorization
Patched Version: 5.1
Recommended Action: Update to version 5.1, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Missing Authorization to Settings Update in disableOptimization
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.6
Recommended Action: Update to version 3.9.6, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 9.7.6
Recommended Action: Update to version 9.7.6, or a newer patched version

Plugin: Cost of Goods: Product Cost & Profit Calculator for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.9
Recommended Action: Update to version 3.2.9, or a newer patched version

Plugin: FormLift for Infusionsoft Web Forms

Vulnerability: Unauthenticated SQL Injection
Patched Version: 7.5.18
Recommended Action: Update to version 7.5.18, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
Patched Version: 1.7.9
Recommended Action: Update to version 1.7.9, or a newer patched version

Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel

Vulnerability: No subtitle
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version

Plugin: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Vulnerability: Missing Authorization via process_review
Patched Version: 7.5.2
Recommended Action: Update to version 7.5.2, or a newer patched version

Plugin: Admin Post Navigation

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Tables & Table Charts (Premium) <= 6.3.2
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Missing Authorization via wpr_update_form_action_meta
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version

Plugin: PowerPack Pro for Elementor

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.10.15
Recommended Action: Update to version 2.10.15, or a newer patched version

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Authenticated(Contributor+) Cross-Site Scripting via Custom CSS
Patched Version: 2.10.4
Recommended Action: Update to version 2.10.4, or a newer patched version

Plugin: Featured Image from URL (FIFU)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via featured image alt text
Patched Version: 4.5.4
Recommended Action: Update to version 4.5.4, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Cross-Site Request Forgery to Limited Code Execution via Execute
Patched Version: 1.15.22
Recommended Action: Update to version 1.15.22, or a newer patched version

Plugin: YARPP – Yet Another Related Posts Plugin

Vulnerability: Authenticated(Administrator+) Cross-Site Scripting
Patched Version: 5.30.10
Recommended Action: Update to version 5.30.10, or a newer patched version

Plugin: Aramex Shipping WooCommerce

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 7.8.5
Recommended Action: Update to version 7.8.5, or a newer patched version

Plugin: Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.12.10
Recommended Action: Update to version 3.12.10, or a newer patched version

Plugin: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via alg_wc_ean_product_meta Shortcode
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: Social Auto Poster

Vulnerability: Cross-Site Request Forgery via Multiple Functions
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version

Plugin: Hostinger Tools

Vulnerability: Missing Authorization to Maintenance Mode Activation
Patched Version: 1.9.8
Recommended Action: Update to version 1.9.8, or a newer patched version

Plugin: UiPress lite | Effortless custom dashboards, admin themes and pages

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 3.4.07
Recommended Action: Update to version 3.4.07, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version

Plugin: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells

Vulnerability: Missing Authorization to Authenticated (Contributor+) Settings Update
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Pods – Custom Content Types and Fields

Plugin: Social Auto Poster

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Post Deletion
Patched Version: 5.3.15
Recommended Action: Update to version 5.3.15, or a newer patched version

Plugin: AI Engine

Vulnerability: Authenticated (Admin+) Remote Code Execution
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version

Plugin: SpeedyCache – Cache, Optimization, Performance

Vulnerability: Missing Authorization to Plugin Options Update
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Royal Elementor Addons and Templates

Vulnerability: Cross-Site Request Forgery via wpr_update_form_action_meta
Patched Version: 1.3.88
Recommended Action: Update to version 1.3.88, or a newer patched version

Plugin: FooGallery Premium

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version

Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Plugin: WP Compress – Instant Performance & Speed Optimization

Vulnerability: Unauthenticated Directory Traversal via css
Patched Version: 6.10.34
Recommended Action: Update to version 6.10.34, or a newer patched version

Plugin: Chatbot with ChatGPT WordPress

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Display custom fields in the frontend – Post and User Profile Fields

Vulnerability: Authenticated (Contributor+) Code Injection
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: WooCommerce Product Table Lite

Vulnerability: Missing Authorization to (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.8.6
Recommended Action: Update to version 3.8.6, or a newer patched version

Plugin: Advanced Database Cleaner

Vulnerability: Authenticated(Administrator+) PHP Object Injection via process_bulk_action
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version

Plugin: Views for WPForms – Display & Edit WPForms Entries on your site frontend

Vulnerability: Cross-Site Request Forgery via save_view
Patched Version: 3.2.3
Recommended Action: Update to version 3.2.3, or a newer patched version

Plugin: Burst Statistics – Privacy-Friendly Analytics for WordPress

Vulnerability: Authenticated (Editor+) SQL Injection
Patched Version: 1.5.4
Recommended Action: Update to version 1.5.4, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
Patched Version: 6.2.5
Recommended Action: Update to version 6.2.5, or a newer patched version

Plugin: Awesome Support – WordPress HelpDesk & Support Plugin

Vulnerability: Missing Authorization via editor_html()
Patched Version: 6.1.8
Recommended Action: Update to version 6.1.8, or a newer patched version

Plugin: Tainacan

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read
Patched Version: 0.21.8
Recommended Action: Update to version 0.21.8, or a newer patched version

Plugin: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Vulnerability: Authorization Bypass via type connect-app API
Patched Version: 2.8.8
Recommended Action: Update to version 2.8.8, or a newer patched version

Plugin: WP Show Posts

Vulnerability: Improper Authorization to Information Exposure
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups

Vulnerability: Sensitive Information Exposure via Exposed Hubspot API Keys
Patched Version: 7.8.4
Recommended Action: Update to version 7.8.4, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated(Editor+) Stored Cross-Site Scripting
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

Plugin: WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly

Vulnerability: Missing Authorization via ttbm_new_place_save
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version

Plugin: Breakdance

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Disabled Membership Registration Bypass
Patched Version: 5.1.7
Recommended Action: Update to version 5.1.7, or a newer patched version

Plugin: Collapse-O-Matic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8.5.6
Recommended Action: Update to version 1.8.5.6, or a newer patched version

Plugin: News Element Elementor Blog Magazine

Vulnerability: Unauthenticated Local File Inlcusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Recipe Maker

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget
Patched Version: 2.10.28
Recommended Action: Update to version 2.10.28, or a newer patched version

Plugin: Oxygen Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
Patched Version: 4.8.1
Recommended Action: Update to version 4.8.1, or a newer patched version

Plugin: ParityPress – Parity Pricing with Discount Rules

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.1
Recommended Action: Update to version 1.0.1, or a newer patched version

Plugin: Category Discount Woocommerce

Vulnerability: Cross-Site Request Forgery via wpcd_save_discount()
Patched Version: 4.12
Recommended Action: Update to version 4.12, or a newer patched version

Plugin: WebSub (FKA. PubSubHubbub)

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: CTX Feed – WooCommerce Product Feed Manager

Vulnerability: Authenticated (Shop Manager+) Arbitrary Options Update
Patched Version: 6.5.7
Recommended Action: Update to version 6.5.7, or a newer patched version

Plugin: Piraeus Bank WooCommerce Payment Gateway

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.7.0
Recommended Action: Update to version 1.7.0, or a newer patched version

Plugin: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category, and more

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: ImageRecycle pdf & image compression

Vulnerability: Missing Authorization to Settings Update in stopOptimizeAll
Patched Version: 3.1.14
Recommended Action: Update to version 3.1.14, or a newer patched version

Plugin: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.1.10
Recommended Action: Update to version 5.1.10, or a newer patched version

Plugin: weForms – Easy Drag & Drop Contact Form Builder For WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Referer
Patched Version: 1.6.22
Recommended Action: Update to version 1.6.22, or a newer patched version

Plugin: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerability: Insecure Direct Object Reference to Sensitive Information Exposure via user_meta Shortcode
Patched Version: 3.10.8
Recommended Action: Update to version 3.10.8, or a newer patched version

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.10
Recommended Action: Update to version 2.1.10, or a newer patched version

Plugin: Zoho Campaigns

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.1.0
Recommended Action: Update to version 2.1.0, or a newer patched version

Plugin: Restrict User Access – Ultimate Membership & Content Protection

Vulnerability: Information Exposure
Patched Version: 2.6
Recommended Action: Update to version 2.6, or a newer patched version

Plugin: All-in-One Video Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Video Shortcode
Patched Version: 3.8.3
Recommended Action: Update to version 3.8.3, or a newer patched version

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Missing Authorization
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.4.7
Recommended Action: Update to version 4.4.7, or a newer patched version

Plugin: Categorify – WordPress Media Library Category & File Manager

Vulnerability: Missing Authorization in categorifyAjaxRenameCategory
Patched Version: 1.0.7.5
Recommended Action: Update to version 1.0.7.5, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 6.2.9
Recommended Action: Update to version 6.2.9, or a newer patched version

Plugin: MapPress Maps for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings
Patched Version: 2.88.17
Recommended Action: Update to version 2.88.17, or a newer patched version

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.7.14
Recommended Action: Update to version 2.7.14, or a newer patched version

Plugin: Master Currency WP

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Currency Converter Form Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: One Click Close Comments

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Information Exposure via get_posts API Endpoint
Patched Version: 2.2.69
Recommended Action: Update to version 2.2.69, or a newer patched version

Plugin: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Vulnerability: HTML Injection
Patched Version: 6.7.1
Recommended Action: Update to version 6.7.1, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.0.4
Recommended Action: Update to version 3.0.4, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.