Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Comments – wpDiscuz
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.6.19
Recommended Action: Update to version 7.6.19, or a newer patched version
Plugin: Contact Form Builder, Contact Widget
Vulnerability: Authentication Request Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cost Calculator Builder PRO
Vulnerability: Unauthenticated Arbitrary Email Sending
Patched Version: 3.1.76
Recommended Action: Update to version 3.1.76, or a newer patched version
Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery
Vulnerability: Cross-Site Request Forgery to Post Creation and Limited Data Loss
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Missing Authorization in Multiple AJAX Actions
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: Dashboard To-Do List
Vulnerability: Missing Authorization via ardtdw_widgetsetup()
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Admin Notices Manager
Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version
Plugin: WP Magazine Modules Lite
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: Autoptimize
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version
Plugin: Podlove Web Player
Vulnerability: Missing Authorization to Unauthenticated Information Exposure
Patched Version: 5.7.4
Recommended Action: Update to version 5.7.4, or a newer patched version
Plugin: WP Time Slots Booking Form
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.2.11
Recommended Action: Update to version 1.2.11, or a newer patched version
Plugin: URL Shortener by MyThemeShop
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Heateor Social Login WordPress
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.1.33
Recommended Action: Update to version 1.1.33, or a newer patched version
Plugin: WP Recipe Maker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘group_tag’
Patched Version: 9.1.1
Recommended Action: Update to version 9.1.1, or a newer patched version
Plugin: FooEvents for WooCommerce
Vulnerability: Improper Authorization to (Contributor+) Arbitrary File Upload
Patched Version: 1.19.21
Recommended Action: Update to version 1.19.21, or a newer patched version
Plugin: YITH WooCommerce Tab Manager
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.35.1
Recommended Action: Update to version 1.35.1, or a newer patched version
Plugin: BuddyPress
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 12.5.1
Recommended Action: Update to version 12.5.1, or a newer patched version
Plugin: ElasticPress
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.1.1
Recommended Action: Update to version 5.1.1, or a newer patched version
Plugin: Download Manager
Vulnerability: Improper Authorization via protectMediaLibrary
Patched Version: 3.2.90
Recommended Action: Update to version 3.2.90, or a newer patched version
Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads
Vulnerability: No subtitle
Patched Version: 2.5.1
Recommended Action: Update to version 2.5.1, or a newer patched version
Plugin: GiveWP – Donation Plugin and Fundraising Platform
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.12.1
Recommended Action: Update to version 3.12.1, or a newer patched version
Plugin: 12 Step Meeting List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.14.34
Recommended Action: Update to version 3.14.34, or a newer patched version
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.4
Recommended Action: Update to version 7.6.4, or a newer patched version
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar, Header Meta Content, Scroll Navigation, Pricing Table, & Flip Box
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version
Plugin: Simple Social Media Share Buttons – Social Sharing for Everyone
Vulnerability: 2.0.21
Patched Version: 2.0.22
Recommended Action: Update to version 2.0.22, or a newer patched version
Plugin: WPPizza – A Restaurant Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.18.14
Recommended Action: Update to version 3.18.14, or a newer patched version
Plugin: Bosa Elementor Addons and Templates for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 1.0.13
Recommended Action: Update to version 1.0.13, or a newer patched version
Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce
Vulnerability: Authenticated (Subscriber+) SQL Injection Vulnerability via options[list_id]
Patched Version: 5.7.23
Recommended Action: Update to version 5.7.23, or a newer patched version
Plugin: Church Admin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version
Plugin: Schema App Structured Data
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.2.1
Recommended Action: Update to version 2.2.1, or a newer patched version
Plugin: SEOPress – On-site SEO
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version
Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.7.2
Recommended Action: Update to version 7.7.2, or a newer patched version
Plugin: Product Reviews Import Export for WooCommerce
Vulnerability: Arbitrary User Creation
Patched Version: 1.3.3
Recommended Action: Update to version 1.3.3, or a newer patched version
Plugin: Kognetiks Chatbot for WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version
Plugin: WP Time Slots Booking Form
Vulnerability: Missing Authorization
Patched Version: 1.2.12
Recommended Action: Update to version 1.2.12, or a newer patched version
Plugin: WP STAGING Pro WordPress Backup Plugin
Vulnerability: Backup Duplicator & Migration <= 5.6.0
Patched Version: 5.6.1
Recommended Action: Update to version 5.6.1, or a newer patched version
Plugin: Easy Forms for Mailchimp
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Under Construction / Maintenance Mode from Acurax
Vulnerability: Unauthenticated IP Spoofing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via titleFont Parameter
Patched Version: 3.2.39
Recommended Action: Update to version 3.2.39, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Motion Text and Table Widgets
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: YITH WooCommerce Product Add-Ons
Vulnerability: Unauthenticated Content Injection
Patched Version: 4.9.3
Recommended Action: Update to version 4.9.3, or a newer patched version
Plugin: Login with phone number
Vulnerability: Insecure Password Reset Mechanism
Patched Version: 1.7.35
Recommended Action: Update to version 1.7.35, or a newer patched version
Plugin: Ovic Importer
Vulnerability: Authenticated (Subscriber+) Arbitrary File Download
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CoDesigner – All in One Elementor WooCommerce Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: PPOM – Product Addons & Custom Fields for WooCommerce
Vulnerability: Unauthenticated Content Injection Vulnerability
Patched Version: 32.0.21
Recommended Action: Update to version 32.0.21, or a newer patched version
Plugin: Ultimate Blocks – WordPress Blocks Plugin
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via metabox
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: WPBakery Visual Composer
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via VC Single Image link attribute
Patched Version: 7.7
Recommended Action: Update to version 7.7, or a newer patched version
Plugin: Master Slider – Responsive Touch Slider
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode
Patched Version: 3.10.0
Recommended Action: Update to version 3.10.0, or a newer patched version
Plugin: Google CSE
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: DImage 360
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Salon Booking System
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 10.3
Recommended Action: Update to version 10.3, or a newer patched version
Plugin: Simple Share Buttons Adder
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 3.5.1
Recommended Action: Update to version 3.5.1, or a newer patched version
Plugin: Serious Slider
Vulnerability: Cross-Site Request Forgery
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: Strategery Migrations
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Testimonial Carousel For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 10.2.0
Recommended Action: Update to version 10.2.0, or a newer patched version
Plugin: WP Docs
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: wpCentral
Vulnerability: Privilege Escalation
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version
Plugin: Custom Product List Table
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: tagDiv Composer
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Attachment Meta
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version
Plugin: Vimeography: Vimeo Video Gallery WordPress Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.4.2
Recommended Action: Update to version 2.4.2, or a newer patched version
Plugin: AI Infographic Maker
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Title Update
Patched Version: 4.7.5
Recommended Action: Update to version 4.7.5, or a newer patched version
Plugin: Restaurant Menu – Food Ordering System – Table Reservation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.4.1
Recommended Action: Update to version 2.4.1, or a newer patched version
Plugin: Copymatic – AI Content Writer & Generator
Vulnerability: Missing Authorization
Patched Version: 2.0
Recommended Action: Update to version 2.0, or a newer patched version
Plugin: PDF Viewer for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via render
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX
Vulnerability: Authenticated (Contributor+) Stored Cross=Site Scripting
Patched Version: 4.1.0
Recommended Action: Update to version 4.1.0, or a newer patched version
Plugin: Actueel Financieel Nieuws – Denk Internet Solutions
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Patched Version: 6.0.0
Recommended Action: Update to version 6.0.0, or a newer patched version
Plugin: SEOPress – On-site SEO
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 7.9
Recommended Action: Update to version 7.9, or a newer patched version
Plugin: Newsletters
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.9.6
Recommended Action: Update to version 4.9.6, or a newer patched version
Plugin: HT Feed
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.9
Recommended Action: Update to version 1.2.9, or a newer patched version
Plugin: Custom Field Suite
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_content]
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Property Hive
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.14
Recommended Action: Update to version 2.0.14, or a newer patched version
Plugin: ProfileGrid – User Profiles, Groups and Communities
Vulnerability: Missing Authorization to Arbitrary Password Reset
Patched Version: 5.3.1
Recommended Action: Update to version 5.3.1, or a newer patched version
Plugin: Sensei LMS – Online Courses, Quizzes, & Learning
Vulnerability: Missing Authorization
Patched Version: 4.24.0
Recommended Action: Update to version 4.24.0, or a newer patched version
Plugin: YITH Custom Login
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version
Plugin: Slideshow Gallery LITE
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.8.2
Recommended Action: Update to version 1.8.2, or a newer patched version
Plugin: Scheduling Plugin – Online Booking for WordPress
Vulnerability: Missing Authorization to Unauthenticated Service Disconnection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.6.1
Recommended Action: Update to version 2.0.6.1, or a newer patched version
Plugin: LatePoint Plugin
Vulnerability: Missing Authorization and Sensitive Information Exposure via IDOR
Patched Version: 4.9.9.1
Recommended Action: Update to version 4.9.9.1, or a newer patched version
Plugin: ElementsKit Pro
Vulnerability: Authenticated (Contributor+) Server-Side Request Forgery
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version
Plugin: Estatik Real Estate Plugin
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: WP Visitors Tracker
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Elementor Addon Elements
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget
Patched Version: 1.13.4
Recommended Action: Update to version 1.13.4, or a newer patched version
Plugin: Store Locator Plus® for WordPress
Vulnerability: Authenticated Privilege Escalation
Patched Version: 5.7
Recommended Action: Update to version 5.7, or a newer patched version
Plugin: Where I Was, Where I Will Be
Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WPMobile.App — Android and iOS Mobile Application
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 11.42
Recommended Action: Update to version 11.42, or a newer patched version
Plugin: Simple AL Slider
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Media Slider – Photo Slider, Video Slider, Link Slider, Carousal Slideshow
Vulnerability: Missing Authorization
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Auto Coupons for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.0.15
Recommended Action: Update to version 3.0.15, or a newer patched version
Plugin: TemplatesNext OnePager
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Download Manager
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Multiple Shortcodes
Patched Version: 3.2.94
Recommended Action: Update to version 3.2.94, or a newer patched version
Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version
Plugin: Easy Table of Contents
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 2.0.67.1
Recommended Action: Update to version 2.0.67.1, or a newer patched version
Plugin: Squeeze
Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.4.1
Recommended Action: Update to version 1.4.1, or a newer patched version
Plugin: WPQA – Builder forms Addon For WordPress
Vulnerability: Builder forms Addon For WordPress plugin <= 6.1.0
Patched Version: 6.1.1
Recommended Action: Update to version 6.1.1, or a newer patched version
Plugin: Heateor Social Login WordPress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.33
Recommended Action: Update to version 1.1.33, or a newer patched version
Plugin: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Vulnerability: Missing Authorization to Limited Privilege Escalation
Patched Version: 1.0.22
Recommended Action: Update to version 1.0.22, or a newer patched version
Plugin: Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 4.0.0
Recommended Action: Update to version 4.0.0, or a newer patched version
Plugin: Admin Columns Pro
Vulnerability: Authenticated (Subscriber+) CSV Injection
Patched Version: 6.4.10
Recommended Action: Update to version 6.4.10, or a newer patched version
Plugin: Pexels: Free Stock Photos
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages
Vulnerability: Missing Authorization
Patched Version: 3.4.20
Recommended Action: Update to version 3.4.20, or a newer patched version
Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.4.8
Recommended Action: Update to version 4.4.8, or a newer patched version
Plugin: Sensei Pro (WC Paid Courses)
Vulnerability: Authenticated (Student+) Stored Cross-Site Scripting
Patched Version: 4.24.0.1.24.0
Recommended Action: Update to version 4.24.0.1.24.0, or a newer patched version
Plugin: Stratum – Elementor Widgets
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: Extra Product Options for WooCommerce
Vulnerability: Missing Authorization
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: tagDiv Composer
Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version
Plugin: Animated AL List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Gallery – Image and Video Gallery with Thumbnails
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Maintenance
Vulnerability: IP Spoofing to Maintenance Mode Bypass
Patched Version: 6.1.9.3
Recommended Action: Update to version 6.1.9.3, or a newer patched version
Plugin: Profile Builder Pro
Vulnerability: Privilege Escalation
Patched Version: 3.1.1
Recommended Action: Update to version 3.1.1, or a newer patched version
Plugin: InstaWP Connect – 1-click WP Staging & Migration
Vulnerability: Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
Patched Version: 0.1.0.39
Recommended Action: Update to version 0.1.0.39, or a newer patched version
Plugin: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: WP Docs
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.1.4
Recommended Action: Update to version 2.1.4, or a newer patched version
Plugin: Canto
Vulnerability: Unauthenticated Remote File Inclusion
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version
Plugin: Slideshow SE
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Database Cleaner
Vulnerability: Authenticated (Admin+) Arbitrary File Read
Patched Version: 1.0.6
Recommended Action: Update to version 1.0.6, or a newer patched version
Plugin: Recurring PayPal Donations
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Download Manager
Vulnerability: Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
Patched Version: 3.2.87
Recommended Action: Update to version 3.2.87, or a newer patched version
Plugin: EleSpare: Elementor Newspaper, Magazine and Blog Addons – 35+ Post Grid, Slider, Carousel, List & Tile, 350+ Templates, Drag & Drop Header/Footer and Page Builder, 1-Click Import – No Coding Hassle!
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Horizontal Nav Menu Widget
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.6.2
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Vulnerability: Cross-Site Request Forgery
Patched Version: 5.2.4
Recommended Action: Update to version 5.2.4, or a newer patched version
Plugin: Shariff Wrapper
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.14
Recommended Action: Update to version 4.6.14, or a newer patched version
Plugin: Greenshift – animation and page builder blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.9.4
Recommended Action: Update to version 8.9.4, or a newer patched version
Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Vulnerability: Missing Authorization in Settings Import to Stored Cross-Site Scripting
Patched Version: 2.13.45
Recommended Action: Update to version 2.13.45, or a newer patched version
Plugin: Serious Slider
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.5
Recommended Action: Update to version 1.2.5, or a newer patched version
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Missing Authorization
Patched Version: 1.3.7.4
Recommended Action: Update to version 1.3.7.4, or a newer patched version
Plugin: Live Composer – Free WordPress Website Builder
Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 1.5.48
Recommended Action: Update to version 1.5.48, or a newer patched version
Plugin: Footer Contacts Bar
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Termly – GDPR/CCPA Cookie Consent Banner
Vulnerability: Missing Authorization via handle_consent_toggle()
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version
Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Vulnerability: Missing Authorization and Nonce Exposure
Patched Version: 4.3.2
Recommended Action: Update to version 4.3.2, or a newer patched version
Plugin: Stellissimo Text Box
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Sitemap – Create a Responsive HTML Sitemap
Vulnerability: Cross-Site Request Forgery via admin_notices
Patched Version: 3.5.14
Recommended Action: Update to version 3.5.14, or a newer patched version
Plugin: Slider Responsive Slideshow – Image slider, Gallery slideshow
Vulnerability: Missing Authorization
Patched Version: 1.4.2
Recommended Action: Update to version 1.4.2, or a newer patched version
Plugin: SC filechecker
Vulnerability: Authenticated (Admin+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Vulnerability: Authenticated (Contributor+) Arbitrary File Inclusion via Shortcode
Patched Version: 1.3.14
Recommended Action: Update to version 1.3.14, or a newer patched version
Plugin: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Custom URL
Patched Version: 2.4.16
Recommended Action: Update to version 2.4.16, or a newer patched version
Plugin: Events Manager – Calendar, Bookings, Tickets, and more!
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via event, location, and event_category Shortcodes
Patched Version: 6.4.8
Recommended Action: Update to version 6.4.8, or a newer patched version
Plugin: Widget4Call
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Premium Addons for Elementor
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 4.10.34
Recommended Action: Update to version 4.10.34, or a newer patched version
Plugin: Pagerank tools
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched Version: 2.0.6.0
Recommended Action: Update to version 2.0.6.0, or a newer patched version
Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Vulnerability: Authenticated (Contributor+) Information Exposure
Patched Version: 1.5.110
Recommended Action: Update to version 1.5.110, or a newer patched version
Plugin: Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
Vulnerability: Exposure of Sensitive Information via the UI
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version
Plugin: ZM Ajax Login & Register
Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery
Vulnerability: Missing Authorization
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version
Plugin: SEOPress – On-site SEO
Vulnerability: Authenticated (Contributor+) Open Redirect
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version
Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Vulnerability: Directory Traversal via handle_folders_file_upload
Patched Version: 3.0.1
Recommended Action: Update to version 3.0.1, or a newer patched version
Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Site Title Widget
Patched Version: 1.6.36
Recommended Action: Update to version 1.6.36, or a newer patched version
Plugin: Active Products Tables for WooCommerce. Use constructor to create tables
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.6.4
Recommended Action: Update to version 1.0.6.4, or a newer patched version
Plugin: sitetweet
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: RestroPress – Online Food Ordering System
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.2.2
Recommended Action: Update to version 3.1.2.2, or a newer patched version
Plugin: Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit
Vulnerability: Automatic AI Content Writer <= 2.0.5
Patched Version: 2.0.6
Recommended Action: Update to version 2.0.6, or a newer patched version
Plugin: Visualizer: Tables and Charts Manager for WordPress
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 3.11.2
Recommended Action: Update to version 3.11.2, or a newer patched version
Plugin: FOX – Currency Switcher Professional for WooCommerce
Vulnerability: Authenticated Local File Inclusion
Patched Version: 1.3.7.1
Recommended Action: Update to version 1.3.7.1, or a newer patched version
Plugin: Leyka
Vulnerability: Missing Authorization
Patched Version: 3.31.2
Recommended Action: Update to version 3.31.2, or a newer patched version
Plugin: WordPress Header Builder Plugin – Pearl
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Site Options Deletion
Patched Version: 1.3.8
Recommended Action: Update to version 1.3.8, or a newer patched version
Plugin: Jeg Elementor Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via JKit
Patched Version: 2.6.6
Recommended Action: Update to version 2.6.6, or a newer patched version
Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
Vulnerability: Authenticated (Author+) SQL Injection
Patched Version: 1.7.3
Recommended Action: Update to version 1.7.3, or a newer patched version
Plugin: Block for Font Awesome
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via PDF Widget URL
Patched Version: 3.9.11
Recommended Action: Update to version 3.9.11, or a newer patched version
Plugin: Kenta Blocks – Responsive Blocks and block templates library
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version
Plugin: Advanced Woo Labels – Product Labels for WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.94
Recommended Action: Update to version 1.94, or a newer patched version
Plugin: Upunzipper
Vulnerability: Authenticated (Admin+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Link Effects Widget
Patched Version: 2.7.21
Recommended Action: Update to version 2.7.21, or a newer patched version
Plugin: Tickera – WordPress Event Ticketing
Vulnerability: Missing Authorization
Patched Version: 3.5.2.7
Recommended Action: Update to version 3.5.2.7, or a newer patched version
Plugin: Dashboard Widgets Suite
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.4.4
Recommended Action: Update to version 3.4.4, or a newer patched version
Plugin: Widget Options – Extended
Vulnerability: Extended <= 5.1.0 & Widget Options <= 4.0.1
Patched Version: 5.1.3
Recommended Action: Update to version 5.1.3, or a newer patched version
Plugin: CoDesigner – All in One Elementor WooCommerce Builder
Vulnerability: Unauthenticated PHP Object Injection
Patched Version: 4.5
Recommended Action: Update to version 4.5, or a newer patched version
Plugin: Collapse-O-Matic
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: YARPP – Yet Another Related Posts Plugin
Vulnerability: Authenticated(Administrator+) Cross-Site Scripting
Patched Version: 5.30.10
Recommended Action: Update to version 5.30.10, or a newer patched version
Plugin: Cooked – Recipe Management
Vulnerability: No subtitle
Patched Version: 1.8.0
Recommended Action: Update to version 1.8.0, or a newer patched version
Plugin: Customer Reviews for WooCommerce
Vulnerability: Authenticated (Subscriber+) Local File Inclusion
Patched Version: 5.16.0
Recommended Action: Update to version 5.16.0, or a newer patched version
Plugin: Tickera – WordPress Event Ticketing
Vulnerability: Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion
Patched Version: 3.5.2.9
Recommended Action: Update to version 3.5.2.9, or a newer patched version
Plugin: Dokan Pro
Vulnerability: Unauthenticated SQL Injection
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version
Plugin: Themeflection Numbers – Number Counter and Animated Numbers
Vulnerability: Authenticated(Subscriber+) Privilege Escalation via tf_numb_save_licenses
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: WP Go Maps (formerly WP Google Maps)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.0.39
Recommended Action: Update to version 9.0.39, or a newer patched version
Plugin: MegaMenu
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 2.3.13
Recommended Action: Update to version 2.3.13, or a newer patched version
Plugin: Ibtana – WordPress Website Builder
Vulnerability: WordPress Website Builder <= 1.2.3.3
Patched Version: 1.2.3.4
Recommended Action: Update to version 1.2.3.4, or a newer patched version
Plugin: Woody code snippets – Insert Header Footer Code, AdSense Ads
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Album Gallery – WordPress Gallery
Vulnerability: Missing Authorization
Patched Version: 1.5.8
Recommended Action: Update to version 1.5.8, or a newer patched version
Plugin: Image Optimizer, Resizer and CDN – Sirv
Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 7.2.7
Recommended Action: Update to version 7.2.7, or a newer patched version
Plugin: WooCommerce Dropshipping Premium
Vulnerability: Missing Authorization to Unauthenticated Arbitrary Email Send
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: WP Shortcodes Plugin — Shortcodes Ultimate
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via su_lightbox Shortcode
Patched Version: 7.1.7
Recommended Action: Update to version 7.1.7, or a newer patched version
Plugin: Newsletter – API v1 and v2 addon for Newsletter
Vulnerability: API v1 and v2 addon for Newsletter <= 2.4.5
Patched Version: 2.4.6
Recommended Action: Update to version 2.4.6, or a newer patched version
Plugin: Business Directory Plugin – Easy Listing Directories for WordPress
Vulnerability: Authenticated (Author+) CSV Injection
Patched Version: 6.4.4
Recommended Action: Update to version 6.4.4, or a newer patched version
Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Vulnerability: Authenticated (Contributor+) Stored Cross-site Scriping via ‘Sina Particle Layer’
Patched Version: 3.5.4
Recommended Action: Update to version 3.5.4, or a newer patched version
Plugin: BuddyPress Cover
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Folders Pro
Vulnerability: Authenticated(Author+) Arbitrary File Upload via handle_folders_file_upload
Patched Version: 3.0.3
Recommended Action: Update to version 3.0.3, or a newer patched version
Plugin: WordPress File Upload
Vulnerability: Directory Traversal to Remote Code Execution
Patched Version: 4.13.0
Recommended Action: Update to version 4.13.0, or a newer patched version
Plugin: WooCommerce – Social Login
Vulnerability: Social Login <= 2.6.2
Patched Version: 2.6.3
Recommended Action: Update to version 2.6.3, or a newer patched version
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
