Watch Out Wednesday – June 12, 2024

Home » Watch Out Wednesday – June 12, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Site Favicon

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Waitlist Woocommerce ( Back in stock notifier )

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 2.6.1
Recommended Action: Update to version 2.6.1, or a newer patched version

Plugin: Comments – wpDiscuz

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.6.19
Recommended Action: Update to version 7.6.19, or a newer patched version

Plugin: Contact Form Builder, Contact Widget

Vulnerability: Authentication Request Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Tooltip CK

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Rotating Tweets (Twitter widget and shortcode)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Missing Authorization to Menu Creation
Patched Version: 2.4.17
Recommended Action: Update to version 2.4.17, or a newer patched version

Plugin: WP Chat App

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.6.5
Recommended Action: Update to version 3.6.5, or a newer patched version

Plugin: WPBITS Addons For Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Qi Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Dashboard To-Do List

Vulnerability: Missing Authorization via ardtdw_widgetsetup()
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.0.277
Recommended Action: Update to version 1.0.277, or a newer patched version

Plugin: Calendar

Vulnerability: Authenticated (Contributor+) SQL Injection via Shortcode
Patched Version: 1.3.15
Recommended Action: Update to version 1.3.15, or a newer patched version

Plugin: AffiEasy

Vulnerability: Cross-Site Request Forgery to Various Actions
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: FameTheme Demo Importer

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Colibri Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode
Patched Version: 1.0.277
Recommended Action: Update to version 1.0.277, or a newer patched version

Plugin: EnvíaloSimple: Email Marketing y Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.3
Recommended Action: Update to version 2.3, or a newer patched version

Plugin: WP Reset – Most Advanced WordPress Reset Tool

Vulnerability: Missing Authorization to License Key Modification
Patched Version: 2.03
Recommended Action: Update to version 2.03, or a newer patched version

Plugin: Weather Widget Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.41
Recommended Action: Update to version 1.1.41, or a newer patched version

Plugin: Podlove Web Player

Vulnerability: Missing Authorization to Unauthenticated Information Exposure
Patched Version: 5.7.4
Recommended Action: Update to version 5.7.4, or a newer patched version

Plugin: Crafthemes Demo Import

Vulnerability: Missing Authorization to Arbitrary Plugin Installation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Time Slots Booking Form

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version

Plugin: Heateor Social Login WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.33
Recommended Action: Update to version 1.1.33, or a newer patched version

Plugin: Boostify Header Footer Builder for Elementor

Vulnerability: Missing Authorization to Page/Post Creation
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.0.2
Recommended Action: Update to version 9.0.2, or a newer patched version

Plugin: YITH WooCommerce Tab Manager

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.35.1
Recommended Action: Update to version 1.35.1, or a newer patched version

Plugin: ElasticPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version

Plugin: Simple Image Popup Shortcode

Plugin: LearnPress – WordPress LMS Plugin

Vulnerability: Basic Information Disclosure via JSON API
Patched Version: 4.2.6.8.1
Recommended Action: Update to version 4.2.6.8.1, or a newer patched version

Plugin: Custom Dash

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG
Patched Version: 1.8.24
Recommended Action: Update to version 1.8.24, or a newer patched version

Plugin: The Moneytizer

Vulnerability: Cross-Site Request Forgery via multiple AJAX actions
Patched Version: 10.0.1
Recommended Action: Update to version 10.0.1, or a newer patched version

Plugin: Restrict for Elementor

Vulnerability: Protection Mechanism Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Missing Authorization
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Tags
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: CB (legacy)

Vulnerability: Cross-Site Request Forgery to Code/Timeframe/Booking Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Clever Fox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 25.2.1
Recommended Action: Update to version 25.2.1, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.12.1
Recommended Action: Update to version 3.12.1, or a newer patched version

Plugin: 12 Step Meeting List

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.14.34
Recommended Action: Update to version 3.14.34, or a newer patched version

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )

Vulnerability: 2.7.2
Patched Version: 2.7.3
Recommended Action: Update to version 2.7.3, or a newer patched version

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version

Plugin: GP Premium

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version

Plugin: Bosa Elementor Addons and Templates for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version

Plugin: Interactive Content – H5P

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.15.8
Recommended Action: Update to version 1.15.8, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Authenticated (Subscriber+) SQL Injection Vulnerability via options[list_id]
Patched Version: 5.7.23
Recommended Action: Update to version 5.7.23, or a newer patched version

Plugin: Wbcom Designs – Custom Font Uploader

Vulnerability: Custom Font Uploader <= 2.3.4
Patched Version: 2.4.0
Recommended Action: Update to version 2.4.0, or a newer patched version

Plugin: Slideshow Gallery LITE

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.8.1
Recommended Action: Update to version 1.8.1, or a newer patched version

Plugin: PowerPack Pro for Elementor

Vulnerability: Authenticated (Contributor+) Privilege Escalation
Patched Version: 2.10.18
Recommended Action: Update to version 2.10.18, or a newer patched version

Plugin: WP Logs Book

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Logs Book

Vulnerability: Cross-Site Request Forgery to Log Disabling
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Custom Field Template

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version

Plugin: Spotify Play Button

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Qi Addons For Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via SiteOrigin Blog Widget
Patched Version: 1.62.0
Recommended Action: Update to version 1.62.0, or a newer patched version

Plugin: Kognetiks Chatbot for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Video Widget

Plugin: WP Time Slots Booking Form

Vulnerability: Missing Authorization
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version

Plugin: Newsletter Popup

Plugin: Easy Forms for Mailchimp

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Maintenance

Vulnerability: Authenticated (Admin+) Cross-Site Scripting
Patched Version: 6.0.8
Recommended Action: Update to version 6.0.8, or a newer patched version

Plugin: Advanced Contact form 7 DB

Vulnerability: Missing Authorization to Unauthenticated Information Disclosure
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
Patched Version: 2.4.44
Recommended Action: Update to version 2.4.44, or a newer patched version

Plugin: Under Construction / Maintenance Mode from Acurax

Vulnerability: Unauthenticated IP Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: CSSable Countdown

Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated (Subscriber+) Information Exposure
Patched Version: 2.6.12
Recommended Action: Update to version 2.6.12, or a newer patched version

Plugin: YITH WooCommerce Product Add-Ons

Vulnerability: Unauthenticated Content Injection
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version

Plugin: Ovic Importer

Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PPOM – Product Addons & Custom Fields for WooCommerce

Vulnerability: Unauthenticated Content Injection Vulnerability
Patched Version: 32.0.21
Recommended Action: Update to version 32.0.21, or a newer patched version

Plugin: ProfilePro

Vulnerability: Authenticated (Subscriber+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Table of Contents

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.0.66
Recommended Action: Update to version 2.0.66, or a newer patched version

Plugin: Woocommerce – Recent Purchases

Vulnerability: Authenticated (Admin+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters

Vulnerability: Missing Authorization via handle_optin_optout
Patched Version: 10.43
Recommended Action: Update to version 10.43, or a newer patched version

Plugin: WooCommerce Tools

Vulnerability: Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Vulnerability: Unauthenticated CSV Injection
Patched Version: 1.9.218
Recommended Action: Update to version 1.9.218, or a newer patched version

Plugin: Extra Product Options for WooCommerce

Vulnerability: Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting via Color Profile Parameter
Patched Version: 23.3
Recommended Action: Update to version 23.3, or a newer patched version

Plugin: Blog2Social: Social Media Auto Post & Scheduler

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 7.4.2
Recommended Action: Update to version 7.4.2, or a newer patched version

Plugin: Kadence Blocks Pro

Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 2.3.8
Recommended Action: Update to version 2.3.8, or a newer patched version

Plugin: EasyAzon – Amazon Associates Affiliate Plugin

Vulnerability: Reflected Cross-Site Scripting via easyazon-cloaking-locale
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Easy Digital Downloads – Recent Purchases

Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ApplyOnline – Application Form Builder and Manager

Vulnerability: Missing Authorization to Sensitive Information Exposure
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via WL Product Horizontal Filter Widget
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated Arbitrary File Read
Patched Version: 2.21.0
Recommended Action: Update to version 2.21.0, or a newer patched version

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: PVN Auth Popup

Plugin: Strategery Migrations

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Photoswipe

Vulnerability: Missing Authorization (Subscriber+) Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Docs

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: Album and Image Gallery plus Lightbox

Vulnerability: Unauthenticated Arbitrary Shortcode Execution
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting via np1
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version

Plugin: WP Logs Book

Vulnerability: Cross-Site Request Forgery to Log Clearing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Widget Bundle

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Copymatic – AI Content Writer & Generator

Vulnerability: Missing Authorization
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version

Plugin: MapFig Studio

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget
Patched Version: 2.0.6.2
Recommended Action: Update to version 2.0.6.2, or a newer patched version

Plugin: Newsletters

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version

Plugin: HT Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Combo Blocks <= 2.2.80
Patched Version: 2.2.81
Recommended Action: Update to version 2.2.81, or a newer patched version

Plugin: Cards for Beaver Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Cards Widget
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: Property Hive

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version

Plugin: WP Back Button

Plugin: WooCommerce

Vulnerability: 8.9.2
Patched Version: 8.8.5
Recommended Action: Update to one of the following versions, or a newer patched version: 8.8.5, 8.9.3

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Uploads
Patched Version: 1.3.977
Recommended Action: Update to version 1.3.977, or a newer patched version

Plugin: WP Donate

Vulnerability: Unauthenticated SQL Injection in donate-display.php
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Sensei LMS – Online Courses, Quizzes, & Learning

Vulnerability: Missing Authorization
Patched Version: 4.24.0
Recommended Action: Update to version 4.24.0, or a newer patched version

Plugin: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via hover_animation Parameter
Patched Version: 4.1.12
Recommended Action: Update to version 4.1.12, or a newer patched version

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.23
Recommended Action: Update to version 5.9.23, or a newer patched version

Plugin: YITH Custom Login

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Mime Types Extended

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Pure Chat – Live Chat & More!

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.23
Recommended Action: Update to version 2.23, or a newer patched version

Plugin: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: YITH WooCommerce Wishlist

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.33.0
Recommended Action: Update to version 3.33.0, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Authenticated(Constibutor+) Stored Cross-Site Scripting via Custom Field Name
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated SQL Injection via hash
Patched Version: 5.7.21
Recommended Action: Update to version 5.7.21, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.7.11
Recommended Action: Update to version 6.7.11, or a newer patched version

Plugin: Site Reviews

Vulnerability: IP Address Spoofing to Blocking Bypass
Patched Version: 7.0.0
Recommended Action: Update to version 7.0.0, or a newer patched version

Plugin: WP Visitors Tracker

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version

Plugin: WebP & SVG Support

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Reviews Block for Google

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Unauthenticated Stored Cross-Site Scripting via Form
Patched Version: 2.4.44
Recommended Action: Update to version 2.4.44, or a newer patched version

Plugin: WPMobile.App — Android and iOS Mobile Application

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.42
Recommended Action: Update to version 11.42, or a newer patched version

Plugin: Simple AL Slider

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Unauthenticated Payment Deletion via delete_payment
Patched Version: 16.26.7
Recommended Action: Update to version 16.26.7, or a newer patched version

Plugin: Image Hover Effects for Elementor with Lightbox and Flipbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via _id, oxi_addons_f_title_tag, and content_description_tag Parameters
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GamiPress – Link

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.5
Recommended Action: Update to version 1.1.5, or a newer patched version

Plugin: Media Slider – Photo Slider, Video Slider, Link Slider, Carousal Slideshow

Vulnerability: Missing Authorization
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Auto Coupons for WooCommerce

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version

Plugin: Materialis Companion

Vulnerability: Authenticated (Contributor+) Store Cross-Site Scripting via materialis_contact_form Shortcode
Patched Version: 1.3.42
Recommended Action: Update to version 1.3.42, or a newer patched version

Plugin: TemplatesNext OnePager

Plugin: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Moneytizer

Vulnerability: Missing Authorization via multiple AJAX actions
Patched Version: 10.0.1
Recommended Action: Update to version 10.0.1, or a newer patched version

Plugin: Boostify Header Footer Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via size Parameter
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version

Plugin: Widget Bundle

Vulnerability: Cross-Site Request Forgery to Widget Disable/Enable
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Heateor Social Login WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.33
Recommended Action: Update to version 1.1.33, or a newer patched version

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Vulnerability: Authenticated (Contributor+) Path Traversal via esc_dir Function
Patched Version: 1.8.24
Recommended Action: Update to version 1.8.24, or a newer patched version

Plugin: FileOrganizer – Manage WordPress and Website Files

Vulnerability: Sensitive Information Exposure via Directory Listing
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: ProfileGrid – User Profiles, Groups and Communities

Vulnerability: Missing Authorization
Patched Version: 5.8.7
Recommended Action: Update to version 5.8.7, or a newer patched version

Plugin: Qubely – Advanced Gutenberg Blocks

Vulnerability: Insufficient Authorization
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: WP Mobile Menu – The Mobile-Friendly Responsive Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Alt
Patched Version: 2.8.4.3
Recommended Action: Update to version 2.8.4.3, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget
Patched Version: 4.0.2
Recommended Action: Update to version 4.0.2, or a newer patched version

Plugin: DOP Shortcodes

Plugin: Custom Field Template

Vulnerability: Authenticated(Contributor+) Information Exposure
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages

Vulnerability: Missing Authorization
Patched Version: 3.4.20
Recommended Action: Update to version 3.4.20, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.78
Recommended Action: Update to version 3.1.78, or a newer patched version

Plugin: FV Flowplayer Video Player

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.5.46.7212
Recommended Action: Update to version 7.5.46.7212, or a newer patched version

Plugin: Sensei Pro (WC Paid Courses)

Vulnerability: Authenticated (Student+) Stored Cross-Site Scripting
Patched Version: 4.24.0.1.24.0
Recommended Action: Update to version 4.24.0.1.24.0, or a newer patched version

Plugin: Extra Product Options for WooCommerce

Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: TablePress – Tables in WordPress made easy

Vulnerability: Authenticated (Author+) Server-Side Request Forgery via DNS Rebind
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Animated AL List

Plugin: Salon Booking System

Vulnerability: Missing Authorization
Patched Version: 10.0
Recommended Action: Update to version 10.0, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.4.0.1
Recommended Action: Update to version 6.4.0.1, or a newer patched version

Plugin: Dynamic Widgets

Vulnerability: Authenticated SQL Injection
Patched Version: 1.5.11
Recommended Action: Update to version 1.5.11, or a newer patched version

Plugin: Essential Addons for Elementor Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox and Modal Widget
Patched Version: 5.8.16
Recommended Action: Update to version 5.8.16, or a newer patched version

Plugin: List categories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.5
Recommended Action: Update to version 0.5, or a newer patched version

Plugin: Gallery – Image and Video Gallery with Thumbnails

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.8.9
Recommended Action: Update to version 3.8.9, or a newer patched version

Plugin: Preferred Languages

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Safety Exit

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: WP Docs

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version

Plugin: CP Appointment Calendar

Vulnerability: Unauthenticated SQL Injection
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: Contact Form 7

Vulnerability: Unauthenticated Open Redirect
Patched Version: 5.9.5
Recommended Action: Update to version 5.9.5, or a newer patched version

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 3.3.4
Recommended Action: Update to version 3.3.4, or a newer patched version

Plugin: Database Cleaner

Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version

Plugin: Bubble Menu – Sticky Navigation with Floating Button Menu Solution

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.5
Recommended Action: Update to version 3.0.5, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Form Functionality
Patched Version: 2.4.44
Recommended Action: Update to version 2.4.44, or a newer patched version

Plugin: Recurring PayPal Donations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
Patched Version: 3.2.87
Recommended Action: Update to version 3.2.87, or a newer patched version

Plugin: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Pacific Widget
Patched Version: 3.14.8
Recommended Action: Update to version 3.14.8, or a newer patched version

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version

Plugin: Custom Field Template

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scritping
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: Download Plugins and Themes in ZIP from Dashboard

Vulnerability: Authenticated (Admin+) Arbitrary File Download
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version

Plugin: LA-Studio Element Kit for Elementor

Vulnerability: Missing Authorization
Patched Version: 1.3.7.4
Recommended Action: Update to version 1.3.7.4, or a newer patched version

Plugin: Clever Fox

Vulnerability: Missing Authorization to arbitrary theme activation via clever-fox-activate-theme
Patched Version: 25.2.1
Recommended Action: Update to version 25.2.1, or a newer patched version

Plugin: Termly – GDPR/CCPA Cookie Consent Banner

Vulnerability: Missing Authorization via handle_consent_toggle()
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Patched Version: 2.0.0
Recommended Action: Update to version 2.0.0, or a newer patched version

Plugin: Coming soon and Maintenance mode

Vulnerability: IP Address Spoofing via get_real_ip
Patched Version: 3.7.4
Recommended Action: Update to version 3.7.4, or a newer patched version

Plugin: One Page Express Companion

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via one_page_express_contact_form Shortcode
Patched Version: 1.6.38
Recommended Action: Update to version 1.6.38, or a newer patched version

Plugin: Stellissimo Text Box

Plugin: Simple Ajax Chat – Add a Fast, Secure Chat Box

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 20240412
Recommended Action: Update to version 20240412, or a newer patched version

Plugin: Slider Responsive Slideshow – Image slider, Gallery slideshow

Vulnerability: Missing Authorization
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version

Plugin: SC filechecker

Vulnerability: Authenticated (Admin+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Blocksy Companion

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.0.43
Recommended Action: Update to version 2.0.43, or a newer patched version

Plugin: Music Store – WordPress eCommerce

Vulnerability: WordPress eCommerce <= 1.1.13
Patched Version: 1.1.14
Recommended Action: Update to version 1.1.14, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Cross-Site Request Forgery to Subscriber Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Events Manager – Calendar, Bookings, Tickets, and more!

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via event, location, and event_category Shortcodes
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version

Plugin: Widget4Call

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 4.10.34
Recommended Action: Update to version 4.10.34, or a newer patched version

Plugin: Pagerank tools

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.24
Recommended Action: Update to version 5.9.24, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 1.5.110
Recommended Action: Update to version 1.5.110, or a newer patched version

Plugin: Minimal Coming Soon – Coming Soon Page

Vulnerability: Missing Authorization to Limited Settings Change
Patched Version: 2.39
Recommended Action: Update to version 2.39, or a newer patched version

Plugin: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.0.219
Recommended Action: Update to version 1.0.219, or a newer patched version

Plugin: Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery

Vulnerability: Missing Authorization
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: LightPress Lightbox

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via title Attribute
Patched Version: 1.5.5
Recommended Action: Update to version 1.5.5, or a newer patched version

Plugin: Ocean Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Flickr Widget
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode
Patched Version: 3.2.94
Recommended Action: Update to version 3.2.94, or a newer patched version

Plugin: WP Booking

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.4.5
Recommended Action: Update to version 2.4.5, or a newer patched version

Plugin: Active Products Tables for WooCommerce. Use constructor to create tables

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6.4
Recommended Action: Update to version 1.0.6.4, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.6.34
Recommended Action: Update to version 3.6.34, or a newer patched version

Plugin: GDPR CCPA Compliance & Cookie Consent Banner

Vulnerability: Missing Authorization to Settings Update and Stored Cross-Site Scripting
Patched Version: 2.7.1
Recommended Action: Update to version 2.7.1, or a newer patched version

Plugin: sitetweet

Plugin: Newsletter Popup

Plugin: Startklar Elementor Addons

Vulnerability: Unauthenticated Path Traversal to Arbitrary Directory Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Weaver Xtreme Theme Support

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via div Shortcode
Patched Version: 6.5
Recommended Action: Update to version 6.5, or a newer patched version

Plugin: Easy Social Like Box – Popup – Sidebar Widget

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.1
Recommended Action: Update to version 4.1, or a newer patched version

Plugin: Qi Blocks

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version

Plugin: RestroPress – Online Food Ordering System

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.2.2
Recommended Action: Update to version 3.1.2.2, or a newer patched version

Plugin: CF7 Google Sheets Connector

Vulnerability: Missing Authorization to Limited Site Configuration Update
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: Visualizer: Tables and Charts Manager for WordPress

Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version

Plugin: Global Notification Bar

Plugin: WP Force SSL & HTTPS SSL Redirect

Vulnerability: Missing Authorization to Settings Update
Patched Version: 1.67
Recommended Action: Update to version 1.67, or a newer patched version

Plugin: Leyka

Vulnerability: Missing Authorization
Patched Version: 3.31.2
Recommended Action: Update to version 3.31.2, or a newer patched version

Plugin: Strong Testimonials

Vulnerability: Authenticated(Contributor+) Improper Authorization to Views Modification
Patched Version: 3.1.13
Recommended Action: Update to version 3.1.13, or a newer patched version

Plugin: Bookster – WordPress Appointment Booking Plugin

Vulnerability: Unauthenticated Appointment Manipulation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: Market Exporter

Vulnerability: Missing Authorization to Arbitrary File Deletion
Patched Version: 2.0.20
Recommended Action: Update to version 2.0.20, or a newer patched version

Plugin: Social Rocket – Social Sharing Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.10
Recommended Action: Update to version 1.2.10, or a newer patched version

Plugin: WordPress prettyPhoto

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PVN Auth Popup

Plugin: Pure Chat – Live Chat & More!

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.23
Recommended Action: Update to version 2.23, or a newer patched version

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Missing Authorization to Information Expsoure
Patched Version: 10.24
Recommended Action: Update to version 10.24, or a newer patched version

Plugin: CB (legacy)

Plugin: Block for Font Awesome

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version

Plugin: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Vulnerability: Cross-Site Request Forgery
Patched Version: 6.5.7
Recommended Action: Update to version 6.5.7, or a newer patched version

Plugin: Advanced Contact form 7 DB

Vulnerability: Sensitive Information Exposure
Patched Version: 2.0.3
Recommended Action: Update to version 2.0.3, or a newer patched version

Plugin: PostmagThemes Demo Import

Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Clever Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple CAFE Widgets
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.977
Recommended Action: Update to version 1.3.977, or a newer patched version

Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.40
Recommended Action: Update to version 1.1.40, or a newer patched version

Plugin: Kenta Blocks – Responsive Blocks and block templates library

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Advanced Woo Labels – Product Labels for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.94
Recommended Action: Update to version 1.94, or a newer patched version

Plugin: Survey Maker

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.2.9
Recommended Action: Update to version 4.2.9, or a newer patched version

Plugin: Upunzipper

Plugin: GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels

Vulnerability: Missing Authorization to Unauthenticated Plugin Settings Update
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Titles
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Tickera – WordPress Event Ticketing

Vulnerability: Missing Authorization
Patched Version: 3.5.2.7
Recommended Action: Update to version 3.5.2.7, or a newer patched version

Plugin: Frontend Checklist

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Items
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Widget Options – Extended

Vulnerability: Extended <= 5.1.0 & Widget Options <= 4.0.1
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version

Plugin: ElementsReady Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.2.0
Recommended Action: Update to version 6.2.0, or a newer patched version

Plugin: Testimonial Carousel For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 10.2.3
Recommended Action: Update to version 10.2.3, or a newer patched version

Plugin: WP TripAdvisor Review Slider

Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 12.7
Recommended Action: Update to version 12.7, or a newer patched version

Plugin: WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing

Vulnerability: Missing Authorization
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock

Vulnerability: Missing Authorization to Authenticated (Subscriber+) PHP Object Injection
Patched Version: 2.7.8.1
Recommended Action: Update to version 2.7.8.1, or a newer patched version

Plugin: Dokan Pro

Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Envo Extra

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Patched Version: 1.8.25
Recommended Action: Update to version 1.8.25, or a newer patched version

Plugin: Newsletter Popup

Vulnerability: Cross-Site Request Forgery to List Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: SKT Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate and Creative Slider Widgets
Patched Version: 2.1
Recommended Action: Update to version 2.1, or a newer patched version

Plugin: BuddyPress Members Only

Vulnerability: Improper Access Control to Sensitive Information Exposure via REST API
Patched Version: 4.4.9
Recommended Action: Update to version 4.4.9, or a newer patched version

Plugin: Frontend Checklist

Plugin: MegaMenu

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.3.13
Recommended Action: Update to version 2.3.13, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.42
Recommended Action: Update to version 2.4.42, or a newer patched version

Plugin: Muslim Prayer Time BD – Prayer Reminder for Bangladesh

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads

Plugin: Simple Photoswipe

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Missing Authorization to MA Template Creation or Modification
Patched Version: 2.0.6.2
Recommended Action: Update to version 2.0.6.2, or a newer patched version

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.81
Recommended Action: Update to version 2.2.81, or a newer patched version

Plugin: Album Gallery – WordPress Gallery

Vulnerability: Missing Authorization
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version

Plugin: WooCommerce Dropshipping Premium

Vulnerability: Missing Authorization to Unauthenticated Arbitrary Email Send
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Cowidgets – Elementor Addons

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: FooGallery Premium

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 2.4.15
Recommended Action: Update to version 2.4.15, or a newer patched version

Plugin: Testimonials Widget

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via testimonials Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Gutenberg Blocks and Page Layouts – Attire Blocks

Vulnerability: Missing Authorization
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version

Plugin: Tutor LMS – eLearning and online course solution

Vulnerability: No subtitle
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated (Contributor+) Store Cross-Site Scripting via Widget Link To URL
Patched Version: 2.4.44
Recommended Action: Update to version 2.4.44, or a newer patched version

Plugin: Themesflat Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via URLs
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Blind SQL Injection via data[addonID] Parameter
Patched Version: 1.5.110
Recommended Action: Update to version 1.5.110, or a newer patched version

Plugin: Church Admin

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: Open Graph

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.11.3
Recommended Action: Update to version 1.11.3, or a newer patched version

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.9.1
Recommended Action: Update to version 1.9.1, or a newer patched version

Plugin: BuddyPress Cover

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Widget Bundle

Plugin: SharkDropship and Affiliate for AliExpress, Temu, eBay, Amazon and Etsy to woocommerce

Vulnerability: Missing Authorization
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 9.0.2
Recommended Action: Update to version 9.0.2, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Login Page Disclosure
Patched Version: 1.9.16
Recommended Action: Update to version 1.9.16, or a newer patched version

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.15.26
Recommended Action: Update to version 1.15.26, or a newer patched version

Plugin: Just Writing Statistics

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.