Watch Out Wednesday – June 26, 2024

Home » Watch Out Wednesday – June 26, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Gallery
Patched Version: 3.59.3
Recommended Action: Update to version 3.59.3, or a newer patched version

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 20240516
Recommended Action: Update to version 20240516, or a newer patched version

Plugin: User Profile Picture

Vulnerability: Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update
Patched Version: 2.6.2
Recommended Action: Update to version 2.6.2, or a newer patched version

Plugin: ContentLock

Vulnerability: Cross-Site Request Forgery to Group/Email Deletion
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.8
Recommended Action: Update to version 3.6.8, or a newer patched version

Plugin: Cost Calculator Builder PRO

Vulnerability: Unauthenticated Arbitrary Email Sending
Patched Version: 3.1.76
Recommended Action: Update to version 3.1.76, or a newer patched version

Plugin: Slider by 10Web – Responsive Image Slider

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.2.56
Recommended Action: Update to version 1.2.56, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia Pro

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Cross-Site Request Forgery to Post Creation and Limited Data Loss
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version

Plugin: Ad Blocking Detector

Vulnerability: Full Path Disclosure
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery to Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer

Vulnerability: Missing Authorization
Patched Version: 1.1.1
Recommended Action: Update to version 1.1.1, or a newer patched version

Plugin: Wheel of Life: Coaching and Assessment Tool for Life Coach

Vulnerability: Missing Authorization on Several AJAX Endpoints
Patched Version: 1.1.8
Recommended Action: Update to version 1.1.8, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Unauthenticated Denial of Service
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: WP Magazine Modules Lite

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version

Plugin: SULly

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: WordPress Button Plugin MaxButtons

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 9.7.8
Recommended Action: Update to version 9.7.8, or a newer patched version

Plugin: Social Media Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

Vulnerability: Missing Authorization
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: Website Content in Page or Post

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2024.04.09
Recommended Action: Update to version 2024.04.09, or a newer patched version

Plugin: Newspack Blocks

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 3.0.9
Recommended Action: Update to version 3.0.9, or a newer patched version

Plugin: Tournamatch

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Unauthenticated Arbitrary SQL Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.43
Recommended Action: Update to version 1.5.43, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Reflected Cross-Site Scripting via WP Login and Register Widget
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets
Patched Version: 2.10.35
Recommended Action: Update to version 2.10.35, or a newer patched version

Plugin: Restaurant Reservations

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Consulting Elementor Widgets

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Authenticated (Subscriber+) Arbitrary File Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WordPress Picture / Portfolio / Media Gallery

Vulnerability: Unauthenticated Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Missing Authorization
Patched Version: 3.2.13
Recommended Action: Update to version 3.2.13, or a newer patched version

Plugin: Consulting Elementor Widgets

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Shortcodes by United Themes

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Template Part Block
Patched Version: 5.9.10
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.10, 6.0.9, 6.1.7, 6.2.6, 6.3.5, 6.4.5, 6.5.5

Plugin: OpenPGP Form Encryption for WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.5.1
Recommended Action: Update to version 1.5.1, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Reflected Cross-Site Scripting via Lead Editing
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Vulnerability: Open Redirect
Patched Version: 2.0.11
Recommended Action: Update to version 2.0.11, or a newer patched version

Plugin: Lifeline Donation

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Bible Text

Plugin: Login with phone number

Vulnerability: Insecure Password Reset Mechanism
Patched Version: 1.7.35
Recommended Action: Update to version 1.7.35, or a newer patched version

Plugin: Branda – Branda – White Label & Branding, Custom Login Page Customizer

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: 3.4.18
Recommended Action: Update to version 3.4.18, or a newer patched version

Plugin: Page Builder Sandwich – Front End WordPress Page Builder Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ContentLock

Vulnerability: Cross-Site Request Forgery to Email Adding
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)

Vulnerability: Use of Polyfill.io
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Seriously Simple Podcasting

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: Elegant Themes Icons

Plugin: WP SVG Images

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 4.3
Recommended Action: Update to version 4.3, or a newer patched version

Plugin: Bug Library

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Wp EMember

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 10.6.6
Recommended Action: Update to version 10.6.6, or a newer patched version

Plugin: Quotes and Tips by BestWebSoft

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.45
Recommended Action: Update to version 1.45, or a newer patched version

Plugin: Media Library Assistant

Vulnerability: Authenticated (Contributor+) SQL Injection via order Parameter
Patched Version: 3.17
Recommended Action: Update to version 3.17, or a newer patched version

Plugin: Salon Booking System

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 10.3
Recommended Action: Update to version 10.3, or a newer patched version

Plugin: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 9.0.5
Recommended Action: Update to version 9.0.5, or a newer patched version

Plugin: If-So Dynamic Content Personalization

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8.0.4
Recommended Action: Update to version 1.8.0.4, or a newer patched version

Plugin: ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Vulnerability: Cross-Site Request Forgery via multiple functions
Patched Version: 6.7.1
Recommended Action: Update to version 6.7.1, or a newer patched version

Plugin: MainWP White Label Extension

Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Top Bar

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.0.6
Recommended Action: Update to version 3.0.6, or a newer patched version

Plugin: WP Scraper

Vulnerability: Authenticated (Subscriber+) Server-Side Request Forgery
Patched Version: 5.8.1
Recommended Action: Update to version 5.8.1, or a newer patched version

Plugin: JetWidgets For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via layout_type and id Parameters
Patched Version: 1.0.18
Recommended Action: Update to version 1.0.18, or a newer patched version

Plugin: Themify – WooCommerce Product Filter

Vulnerability: WooCommerce Product Filter <= 1.4.9
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Swift Framework

Vulnerability: No subtitle
Patched Version: 2024.04.30
Recommended Action: Update to version 2024.04.30, or a newer patched version

Plugin: SiteGuard WP Plugin

Vulnerability: Login Page Disclosure
Patched Version: 1.7.7
Recommended Action: Update to version 1.7.7, or a newer patched version

Plugin: Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter

Plugin: Swift Framework

Vulnerability: No subtitle
Patched Version: 2024.04.30
Recommended Action: Update to version 2024.04.30, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via title_tag
Patched Version: 3.10.5
Recommended Action: Update to version 3.10.5, or a newer patched version

Plugin: Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 4.9.8
Recommended Action: Update to version 4.9.8, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Contributor+) Directory Traversal
Patched Version: 4.1.41
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.41, 4.2.38, 4.3.34, 4.4.33, 4.5.32, 4.6.29, 4.7.29, 4.8.25, 4.9.26, 5.0.22, 5.1.19, 5.2.21, 5.3.18, 5.4.16, 5.5.15, 5.6.14, 5.7.12, 5.8.10, 5.9.10, 6.0.9, 6.1.7, 6.2.6, 6.3.5, 6.4.5, 6.5.5

Plugin: Custom Product List Table

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Affiliate Platform

Vulnerability: Reflected Cross-Site Scripting via Registration Form
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Laybuy Payment Extension for WooCommerce

Plugin: Demo Awesome

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.2
Recommended Action: Update to version 1.0.2, or a newer patched version

Plugin: Name: CM E-Mail Registration Blacklist

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.4.9
Recommended Action: Update to version 1.4.9, or a newer patched version

Plugin: WPS Hide Login

Vulnerability: Login Page Disclosure
Patched Version: 1.9.16.4
Recommended Action: Update to version 1.9.16.4, or a newer patched version

Plugin: Accordion – Multiple Accordion or FAQs Builder

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Blog Post Layouts

Vulnerability: Authenticated (Contributor+) Local File Inlcusion
Patched Version: 1.1.4
Recommended Action: Update to version 1.1.4, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Category Editing
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: Ultimate Blocks – WordPress Blocks Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.1.9
Recommended Action: Update to version 3.1.9, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Unauthenticated Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Demo Awesome

Vulnerability: Missing Authorization
Patched Version: 1.0.3
Recommended Action: Update to version 1.0.3, or a newer patched version

Plugin: Twenty20 Image Before-After

Vulnerability: Injected Backdoor
Patched Version: 1.6.4
Recommended Action: Update to version 1.6.4, or a newer patched version

Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext

Vulnerability: Cross-Site Request Forgery to PHP Object Injection
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Meks Smart Social Widget

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version

Plugin: WP Child Theme Generator

Vulnerability: Missing Authorization to Unauthenticated Child Theme Creation/Activation
Patched Version: 1.1.2
Recommended Action: Update to version 1.1.2, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.4.1.2
Recommended Action: Update to version 3.4.1.2, or a newer patched version

Plugin: WP Hotel Booking

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.1.1
Recommended Action: Update to version 2.1.1, or a newer patched version

Plugin: Export WP Page to Static HTML/CSS

Vulnerability: Open Redirect
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version

Plugin: Wp EMember

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 10.6.7
Recommended Action: Update to version 10.6.7, or a newer patched version

Plugin: Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Authenticated (Contributor+) File inclusion via Shortcode
Patched Version: 2.2.26
Recommended Action: Update to version 2.2.26, or a newer patched version

Plugin: ContentLock

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: 1.0.4
Recommended Action: Update to version 1.0.4, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Reflected Cross-Site Scripting via Banner Editing
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: phpinfo() WP

Vulnerability: Unauthenticated Information Exposure
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version

Plugin: WP QuickLaTeX

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.8.7
Recommended Action: Update to version 3.8.7, or a newer patched version

Plugin: UberMenu

Vulnerability: Cross-Site Request Forgery to Settings Reset
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: SP Project & Document Manager

Vulnerability: Authenticated (Subscriber+) Directory Traversal
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Zita Elementor Site Library

Vulnerability: Missing Authorization to Page Creation and Options Modification
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version

Plugin: Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 3.5.5
Recommended Action: Update to version 3.5.5, or a newer patched version

Plugin: Empty Cart Button for WooCommerce

Plugin: Sketchfab Embed

Plugin: Loco Translate

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.10
Recommended Action: Update to version 2.6.10, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery to Profile Update
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Bricks Builder

Vulnerability: Insecure Direct Object Reference
Patched Version: 1.9.9
Recommended Action: Update to version 1.9.9, or a newer patched version

Plugin: Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Vulnerability: IP Address Spoofing to Denial of Service
Patched Version: 9.3.2
Recommended Action: Update to version 9.3.2, or a newer patched version

Plugin: Hercules Core

Vulnerability: Missing Authorization to Settings Update
Patched Version: 6.7
Recommended Action: Update to version 6.7, or a newer patched version

Plugin: Zoho Marketing Automation

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 1.2.8
Recommended Action: Update to version 1.2.8, or a newer patched version

Plugin: Kanban Boards for WordPress

Plugin: Falang multilanguage for WordPress

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.3.52
Recommended Action: Update to version 1.3.52, or a newer patched version

Plugin: WPAdverts – Classifieds Plugin

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: My Favorites

Plugin: Gallery Slideshow

Plugin: Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Subscribers and Landing Pages

Vulnerability: Missing Authorization
Patched Version: 2.4.9.1
Recommended Action: Update to version 2.4.9.1, or a newer patched version

Plugin: Pexels: Free Stock Photos

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Vulnerability: Missing Authorization
Patched Version: 4.5.2
Recommended Action: Update to version 4.5.2, or a newer patched version

Plugin: All In One Redirection

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Customer Editing
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: Gallery Plugin for WordPress – Envira Photo Gallery

Vulnerability: Cross-Site Request Forgery to Notice Dismissal
Patched Version: 1.8.8
Recommended Action: Update to version 1.8.8, or a newer patched version

Plugin: User Rights Access Manager

Plugin: Hostel

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.1.5.3
Recommended Action: Update to version 1.1.5.3, or a newer patched version

Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: Photo Video Gallery Master

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Video Directory

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.4.4
Recommended Action: Update to version 1.4.4, or a newer patched version

Plugin: Smart Image Gallery

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.0.19
Recommended Action: Update to version 1.0.19, or a newer patched version

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: Index WP MySQL For Speed

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.4.18
Recommended Action: Update to version 1.4.18, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Page Builder Sandwich – Front End WordPress Page Builder Plugin

Plugin: Product Enquiry for WooCommerce

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.1.8
Recommended Action: Update to version 3.1.8, or a newer patched version

Plugin: Word Balloon

Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 4.22.0
Recommended Action: Update to version 4.22.0, or a newer patched version

Plugin: SULly

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: FS Poster – WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest]

Plugin: Custom Field Suite

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_title]
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BlossomThemes Email Newsletter

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.2.7
Recommended Action: Update to version 2.2.7, or a newer patched version

Plugin: Photo Gallery, Images, Slider in Rbs Image Gallery

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Image Title
Patched Version: 3.2.20
Recommended Action: Update to version 3.2.20, or a newer patched version

Plugin: Sparkle Demo Importer

Vulnerability: Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import
Patched Version: 1.4.8
Recommended Action: Update to version 1.4.8, or a newer patched version

Plugin: Kimili Flash Embed

Plugin: Universal Slider

Plugin: Spectra – WordPress Gutenberg Blocks

Vulnerability: Missing Authorization
Patched Version: 2.6.7
Recommended Action: Update to version 2.6.7, or a newer patched version

Plugin: WP Secure Maintenance

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7
Recommended Action: Update to version 1.7, or a newer patched version

Plugin: Wp EMember

Vulnerability: Reflected Cross-Site Scripting via ‘editrecord’
Patched Version: 10.6.6
Recommended Action: Update to version 10.6.6, or a newer patched version

Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: License Manager for WooCommerce

Vulnerability: Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Newspack Newsletters

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.13.3
Recommended Action: Update to version 2.13.3, or a newer patched version

Plugin: EleSpare: Elementor Newspaper, Magazine and Blog Addons – 35+ Post Grid, Slider, Carousel, List & Tile, 350+ Templates, Drag & Drop Header/Footer and Page Builder, 1-Click Import – No Coding Hassle!

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Horizontal Nav Menu Widget
Patched Version: 3.2.0
Recommended Action: Update to version 3.2.0, or a newer patched version

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.4.3
Recommended Action: Update to version 3.4.3, or a newer patched version

Plugin: Wp EMember

Vulnerability: Reflected Cross-Site Scripting via ‘login_pwd’
Patched Version: 10.6.6
Recommended Action: Update to version 10.6.6, or a newer patched version

Plugin: Greenshift – animation and page builder blocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 8.9.4
Recommended Action: Update to version 8.9.4, or a newer patched version

Plugin: Event Monster – Event Management, Tickets Booking, Upcoming Event

Plugin: Smart Forms – when you need more than just a contact form

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.94
Recommended Action: Update to version 2.6.94, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm-all-packages Shortcode
Patched Version: 3.2.91
Recommended Action: Update to version 3.2.91, or a newer patched version

Plugin: Wp EMember

Vulnerability: Cross-Site Request Forgery to Bulk Delete
Patched Version: 10.6.6
Recommended Action: Update to version 10.6.6, or a newer patched version

Plugin: Transition Slider – Responsive Image Slider and Gallery

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SULly

Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated (Contibutor+) Stored Cross-Site Scripting via Card Widget
Patched Version: 2.6.9.9
Recommended Action: Update to version 2.6.9.9, or a newer patched version

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: MIMO Woocommerce Order Tracking

Vulnerability: Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Consulting Elementor Widgets

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Quiz Maker

Vulnerability: Unauthenticated SQL Injection via ‘ays_questions’ Parameter
Patched Version: 6.5.8.4
Recommended Action: Update to version 6.5.8.4, or a newer patched version

Plugin: Image Photo Gallery Final Tiles Grid

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Insert or Embed Articulate Content into WordPress

Vulnerability: Authenticated (Author+) Arbitrary File Upload
Patched Version: 4.3000000024
Recommended Action: Update to version 4.3000000024, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Authenticated (Contributor+) SQL Injection via Term Custom Field
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Woocommerce Customers Order History

Plugin: Shortcodes Ultimate Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.1.5
Recommended Action: Update to version 7.1.5, or a newer patched version

Plugin: Property Hive

Vulnerability: Missing Authorization
Patched Version: 2.0.10
Recommended Action: Update to version 2.0.10, or a newer patched version

Plugin: AliExpress Dropshipping Plugin for WooCommerce – AliNext

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.3.7
Recommended Action: Update to version 3.3.7, or a newer patched version

Plugin: Inline Related Posts

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.7.0
Recommended Action: Update to version 3.7.0, or a newer patched version

Core: WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
Patched Version: 5.9.10
Recommended Action: Update to one of the following versions, or a newer patched version: 5.9.10, 6.0.9, 6.1.7, 6.2.6, 6.3.5, 6.4.5, 6.5.5

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita

Vulnerability: Missing Authorization to Unauthenticated Stored Cross-Site Scripting
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: WP Job Manager – Resume Manager

Vulnerability: Resume Manager <= 2.1.0
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version

Plugin: Tournamatch

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 4.6.1
Recommended Action: Update to version 4.6.1, or a newer patched version

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 3.1.43
Recommended Action: Update to version 3.1.43, or a newer patched version

Plugin: WP eStore

Vulnerability: Reflected Cross-Site Scripting via Discount Editing
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Social Image URL
Patched Version: 7.9.1
Recommended Action: Update to version 7.9.1, or a newer patched version

Plugin: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

Vulnerability: Cross-Site Request Forgery to Membership Modification
Patched Version: 3.0
Recommended Action: Update to version 3.0, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23
Patched Version: 5.7.24
Recommended Action: Update to version 5.7.24, or a newer patched version

Plugin: Pure Chat – Live Chat & More!

Vulnerability: Cross-Site Request Forgery
Patched Version: 2.23
Recommended Action: Update to version 2.23, or a newer patched version

Plugin: SULly

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 4.3.1
Recommended Action: Update to version 4.3.1, or a newer patched version

Plugin: Embed Peertube Playlist

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.10
Recommended Action: Update to version 1.10, or a newer patched version

Plugin: Consulting Elementor Widgets

Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: If-So Dynamic Content Personalization

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.8.0.4
Recommended Action: Update to version 1.8.0.4, or a newer patched version

Plugin: Tabs – Responsive Tabs with WooCommerce Product Tab Extension

Plugin: SVG Block

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG
Patched Version: 1.1.20
Recommended Action: Update to version 1.1.20, or a newer patched version

Plugin: InstaWP Connect – 1-click WP Staging & Migration

Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 0.1.0.39
Recommended Action: Update to version 0.1.0.39, or a newer patched version

Plugin: Live Composer – Free WordPress Website Builder

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.5.43
Recommended Action: Update to version 1.5.43, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery to Reflected Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Wp EMember

Vulnerability: Cross-Site Request Forgery
Patched Version: 10.6.6
Recommended Action: Update to version 10.6.6, or a newer patched version

Plugin: Real Media Library: Media Library Folder & File Manager

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.22.12
Recommended Action: Update to version 4.22.12, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via profilepress-edit-profile Shortcode
Patched Version: 4.15.2
Recommended Action: Update to version 4.15.2, or a newer patched version

Plugin: Hide Dashboard Notifications

Vulnerability: Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Secure Copy Content Protection and Content Locking

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.0.9
Recommended Action: Update to version 4.0.9, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Authenticated (Subscriber+) Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Simple Website Banner

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.0.4
Recommended Action: Update to version 1.8.0.4, or a newer patched version

Plugin: WP 2FA – Two-factor authentication for WordPress

Vulnerability: Unauthenticated Information Exposure via Log File
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Reflected Cross-Site Scripting via Affiliate Editing
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

Plugin: Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Vulnerability: Authenticated (Contributor+) Arbitrary Nonce Generation
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Table Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via _id Parameter
Patched Version: 2.1.3
Recommended Action: Update to version 2.1.3, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Plugin: Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

Vulnerability: Missing Authorization to Resmush List Deletion
Patched Version: 3.16.5
Recommended Action: Update to version 3.16.5, or a newer patched version

Plugin: Custom Field Suite

Vulnerability: Authenticated (Contributor+) PHP Code Injection via Loop Custom Field
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Wishlist Member

Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Support SVG – Upload svg files in wordpress without hassle

Vulnerability: Authenticated (Author+) Stored Cross-site Scripting via SVG
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version

Plugin: Image Optimizer, Resizer and CDN – Sirv

Vulnerability: Authenticated (Contributor+) Arbitrary File Upload
Patched Version: 7.2.7
Recommended Action: Update to version 7.2.7, or a newer patched version

Plugin: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.2.2
Recommended Action: Update to version 3.2.2, or a newer patched version

Plugin: Swift Framework

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2024.04.30
Recommended Action: Update to version 2024.04.30, or a newer patched version

Plugin: affiliate-toolkit – WP Affiliate Plugin with Amazon

Vulnerability: Unauthenticated Sensitive Information Exposure via Logs
Patched Version: 3.4.5
Recommended Action: Update to version 3.4.5, or a newer patched version

Plugin: Wishlist Member

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slideshow SE

Vulnerability: Authenticated (Author+) Limited Local File Inclusion
Patched Version: 2.5.18
Recommended Action: Update to version 2.5.18, or a newer patched version

Plugin: Shariff Wrapper

Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 4.6.14
Recommended Action: Update to version 4.6.14, or a newer patched version

Plugin: WP eStore

Vulnerability: Cross-Site Request Forgery to Coupon Deletion
Patched Version: 8.5.5
Recommended Action: Update to version 8.5.5, or a newer patched version

Plugin: Typing Text

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.6
Recommended Action: Update to version 1.2.6, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.12.14
Recommended Action: Update to version 1.12.14, or a newer patched version

Plugin: WPZOOM Addons for Elementor (Templates, Widgets)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget
Patched Version: 1.1.39
Recommended Action: Update to version 1.1.39, or a newer patched version

Plugin: Wp EMember

Vulnerability: Reflected Cross-Site Scripting via Member Edit
Patched Version: 10.6.7
Recommended Action: Update to version 10.6.7, or a newer patched version

Plugin: WP Affiliate Platform

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 6.5.1
Recommended Action: Update to version 6.5.1, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.