Watch Out Wednesday – June 5, 2024

Home » Watch Out Wednesday – June 5, 2024

Understanding Vulnerabilities in WordPress Plugins

Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.

Plugin: Site Favicon

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.3
Recommended Action: Update to version 0.3, or a newer patched version

Plugin: Page Builder Gutenberg Blocks – CoBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles
Patched Version: 3.1.10
Recommended Action: Update to version 3.1.10, or a newer patched version

Plugin: ShareThis Share Buttons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via sharethis-inline-buttons Shortcode
Patched Version: 2.3.1
Recommended Action: Update to version 2.3.1, or a newer patched version

Plugin: Five Star Restaurant Menu and Food Ordering

Vulnerability: Missing Authorization to Menu Creation
Patched Version: 2.4.17
Recommended Action: Update to version 2.4.17, or a newer patched version

Plugin: WordPress Jitsi Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Responsive Owl Carousel for Elementor

Vulnerability: Local File Inclusion
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: Simple Like Page Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.3
Recommended Action: Update to version 1.5.3, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Missing Authorization to Arbitrary Options Update
Patched Version: 4.1.3
Recommended Action: Update to version 4.1.3, or a newer patched version

Plugin: Admin Notices Manager

Vulnerability: Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
Patched Version: 1.5.0
Recommended Action: Update to version 1.5.0, or a newer patched version

Plugin: Similarity

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Comparison Slider

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: AffiEasy

Vulnerability: Cross-Site Request Forgery to Various Actions
Patched Version: 1.1.7
Recommended Action: Update to version 1.1.7, or a newer patched version

Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block

Vulnerability: Unauthenticated SQL Injection via id
Patched Version: 2.5.25
Recommended Action: Update to version 2.5.25, or a newer patched version

Plugin: Integrate Google Drive

Vulnerability: Missing Authorization
Patched Version: 1.3.94
Recommended Action: Update to version 1.3.94, or a newer patched version

Plugin: WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square Plugin

Vulnerability: Missing Authorization
Patched Version: 4.4.2
Recommended Action: Update to version 4.4.2, or a newer patched version

Plugin: Sermon'e – Sermons Online

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 2.5.19
Recommended Action: Update to version 2.5.19, or a newer patched version

Plugin: HUSKY – Products Filter Professional for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.6
Recommended Action: Update to version 1.3.6, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.10.19
Recommended Action: Update to version 4.10.19, or a newer patched version

Plugin: FileBird – WordPress Media Library Folders & File Manager

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.6.4
Recommended Action: Update to version 5.6.4, or a newer patched version

Plugin: Debug Log Manager

Vulnerability: Missing Authorization
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Save as PDF Plugin by Pdfcrowd

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version

Plugin: CB (legacy)

Vulnerability: Cross-Site Request Forgery to Code/Timeframe/Booking Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Content Blocks (Custom Post Widget)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via content_block Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Missing Authorization to Information Disclosure
Patched Version: 4.10.32
Recommended Action: Update to version 4.10.32, or a newer patched version

Plugin: DethemeKit For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via slitems Attribute
Patched Version: 2.1.5
Recommended Action: Update to version 2.1.5, or a newer patched version

Plugin: WP Scraper

Vulnerability: Missing Authorization to Arbitrary Page/Post Creation
Patched Version: 5.8
Recommended Action: Update to version 5.8, or a newer patched version

Plugin: Social Link Pages: link-in-bio landing pages for your social media profiles

Vulnerability: Missing Authorization to Arbitrary Page Creation and Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Contact Form Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.1
Recommended Action: Update to version 1.6.1, or a newer patched version

Plugin: WP Translate – WordPress Translation Plugin

Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 0.7.0
Recommended Action: Update to version 0.7.0, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version

Plugin: WP Logs Book

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Logs Book

Vulnerability: Cross-Site Request Forgery to Log Disabling
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version

Plugin: Alemha watermarker

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: PopupAlly

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.1.2
Recommended Action: Update to version 2.1.2, or a newer patched version

Plugin: FS Product Inquiry

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +17 Modules – All in One Solution (formerly WooLentor)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via WL Universal Product Layout
Patched Version: 2.8.4
Recommended Action: Update to version 2.8.4, or a newer patched version

Plugin: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.6.1.1
Recommended Action: Update to version 4.6.1.1, or a newer patched version

Plugin: Tainacan

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 0.21.4
Recommended Action: Update to version 0.21.4, or a newer patched version

Plugin: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.12.7
Recommended Action: Update to version 1.12.7, or a newer patched version

Plugin: Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Vulnerability: Missing Authorization to Appointment Time Alteration
Patched Version: 1.0.83
Recommended Action: Update to version 1.0.83, or a newer patched version

Plugin: Exclusive Addons for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Post Grid
Patched Version: 2.6.9.3
Recommended Action: Update to version 2.6.9.3, or a newer patched version

Plugin: WP-DB-Table-Editor

Vulnerability: Missing Authorization to Authenticated(Contributor+) Database Access
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Master Slider – Responsive Touch Slider

Vulnerability: Responsive Touch Slider <= 3.9.9
Patched Version: 3.9.10
Recommended Action: Update to version 3.9.10, or a newer patched version

Plugin: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Vulnerability: Cross-Site Request Forgery
Patched Version: 19.1.11
Recommended Action: Update to version 19.1.11, or a newer patched version

Plugin: CSSable Countdown

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: Mega Addons For Elementor

Vulnerability: Missing Authorization
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version

Plugin: Resume Builder

Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: 3.2
Recommended Action: Update to version 3.2, or a newer patched version

Plugin: WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Reservation Form Shortcode
Patched Version: 2.2.26
Recommended Action: Update to version 2.2.26, or a newer patched version

Plugin: HT Mega – Absolute Addons For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Grid Widget
Patched Version: 2.5.0
Recommended Action: Update to version 2.5.0, or a newer patched version

Plugin: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.8.4
Recommended Action: Update to version 3.8.4, or a newer patched version

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title tag attribute
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Google CSE

Plugin: WP Next Post Navi

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: The Plus Addons for Elementor Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Title Widget
Patched Version: 5.5.5
Recommended Action: Update to version 5.5.5, or a newer patched version

Plugin: Simple COD Fees for WooCommerce

Plugin: Comment System Plugin for WordPress & Ajax Comments – Comment Press

Vulnerability: Cross-Frame Scripting
Patched Version: 2.7.2
Recommended Action: Update to version 2.7.2, or a newer patched version

Plugin: Booking for Appointments and Events Calendar – Amelia

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.0.99
Recommended Action: Update to version 1.0.99, or a newer patched version

Plugin: Chauffeur Taxi Booking System for WordPress

Vulnerability: Authentication Bypass
Patched Version: 7.0
Recommended Action: Update to version 7.0, or a newer patched version

Plugin: Praison SEO WordPress

Plugin: wpForo Forum

Vulnerability: Cross-Site Request Forgery via logout()
Patched Version: 2.2.9
Recommended Action: Update to version 2.2.9, or a newer patched version

Plugin: Inquiry cart

Plugin: Font Farsi

Plugin: WordPress Jitsi Shortcode

Plugin: Ninja Tables – Easy Data Table Builder

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 5.0.10
Recommended Action: Update to version 5.0.10, or a newer patched version

Plugin: WP To Do

Vulnerability: Cross-Site Request Forgery via wptodo_addcomment
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Claudio Sanches – Checkout Cielo for WooCommerce

Vulnerability: Insufficient Verification of Data Authenticity to Order Payment Status Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.18.3
Recommended Action: Update to version 1.18.3, or a newer patched version

Plugin: WPB Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation Widget
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: HTML5 Video Player – mp4 Video Player Plugin and Block

Vulnerability: Unauthenticated SQL Injection
Patched Version: 2.5.27
Recommended Action: Update to version 2.5.27, or a newer patched version

Plugin: Debug Log – Manger Tool

Vulnerability: Unauthenticated Information Exposure via Logs
Patched Version: 1.5
Recommended Action: Update to version 1.5, or a newer patched version

Plugin: Fluid Notification Bar

Plugin: Slider Revolution

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Elementor wrapperid and zindex
Patched Version: 6.7.11
Recommended Action: Update to version 6.7.11, or a newer patched version

Plugin: Christmas Greetings

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.2.7
Recommended Action: Update to version 1.2.7, or a newer patched version

Plugin: tagDiv Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via button Shortcode
Patched Version: 4.9
Recommended Action: Update to version 4.9, or a newer patched version

Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.15.0
Recommended Action: Update to version 4.15.0, or a newer patched version

Plugin: UserPro – Community and User Profile WordPress Plugin

Vulnerability: Unauthenticated Account Takeover to Privilege Escalation
Patched Version: 5.1.9
Recommended Action: Update to version 5.1.9, or a newer patched version

Plugin: Newsletter – Send awesome emails from WordPress

Vulnerability: Unauthenticated Stored Cross-Site Scripting via np1
Patched Version: 8.3.5
Recommended Action: Update to version 8.3.5, or a newer patched version

Plugin: WP Logs Book

Vulnerability: Cross-Site Request Forgery to Log Clearing
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons Pro for Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via widget link
Patched Version: 2.9.13
Recommended Action: Update to version 2.9.13, or a newer patched version

Plugin: Widget Bundle

Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Expert Invoice

Plugin: Authorize.net Payment Gateway For WooCommerce

Vulnerability: Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Crelly Slider

Vulnerability: Authenticated (Subscriber+) Insecure Direct Object Reference
Patched Version: 1.4.6
Recommended Action: Update to version 1.4.6, or a newer patched version

Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Google Calendar Widget Link
Patched Version: 3.9.9
Recommended Action: Update to version 3.9.9, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.976
Recommended Action: Update to version 1.3.976, or a newer patched version

Plugin: Mollie Forms

Vulnerability: Cross-Site Request Forgery to Arbitrary Post Duplication
Patched Version: 2.6.14
Recommended Action: Update to version 2.6.14, or a newer patched version

Plugin: Cost Calculator Builder PRO

Vulnerability: Unauthenticated Cross-Site Scripting via SVG Upload
Patched Version: 3.1.68
Recommended Action: Update to version 3.1.68, or a newer patched version

Plugin: Lightbox slider – Responsive Lightbox Gallery

Vulnerability: Authenticated (Contributor+) PHP Object Injection
Patched Version: 1.10.0
Recommended Action: Update to version 1.10.0, or a newer patched version

Plugin: Lightweight Accordion

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.5.17
Recommended Action: Update to version 1.5.17, or a newer patched version

Plugin: PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Patched Version: 2.7.20
Recommended Action: Update to version 2.7.20, or a newer patched version

Plugin: WP Back Button

Plugin: Brizy – Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version

Plugin: Comparison Slider

Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Fetch JFT

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.8.4
Recommended Action: Update to version 1.8.4, or a newer patched version

Plugin: Mime Types Extended

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: ND Shortcodes

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: YITH WooCommerce Wishlist

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 3.33.0
Recommended Action: Update to version 3.33.0, or a newer patched version

Plugin: Playlist for Youtube

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 1.40
Recommended Action: Update to version 1.40, or a newer patched version

Plugin: Download Attachments

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Enter Addons – Ultimate Template Builder for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Heading widget
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version

Plugin: WP-Members Membership Plugin

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.4.9.2
Recommended Action: Update to version 3.4.9.2, or a newer patched version

Plugin: Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce

Vulnerability: Unauthenticated SQL Injection via hash
Patched Version: 5.7.21
Recommended Action: Update to version 5.7.21, or a newer patched version

Plugin: Random Banner

Plugin: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.5.52
Recommended Action: Update to version 2.5.52, or a newer patched version

Plugin: Easy Textillate

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 2.02
Recommended Action: Update to version 2.02, or a newer patched version

Plugin: Remote Content Shortcode

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Heading tag attribute
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Ni Purchase Order(PO) For WooCommerce

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version

Plugin: Upload Fields for WPForms – Drag and Drop Multiple File Upload, Image Upload, and Google Drive Upload for WPForms

Plugin: WP To Do

Vulnerability: Cross-Site Request Forgery via wptodo_manage()
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP Recipe Maker

Vulnerability: Authenticated Stored Cross-Site Scripting via Video Embed
Patched Version: 9.3.0
Recommended Action: Update to version 9.3.0, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Authenticated Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce

Vulnerability: Improper Authorization
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Mihdan: Yandex Turbo Feed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.6.6
Recommended Action: Update to version 1.6.6, or a newer patched version

Plugin: Animated Headline

Plugin: Simple Spoiler

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version

Plugin: Permalink Manager Lite

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.3.2
Recommended Action: Update to version 2.4.3.2, or a newer patched version

Plugin: User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Vulnerability: Missing Authorization to Privilege Escalation
Patched Version: 3.2.1
Recommended Action: Update to version 3.2.1, or a newer patched version

Plugin: wpForo Forum

Vulnerability: Missing Authorization
Patched Version: 2.2.6
Recommended Action: Update to version 2.2.6, or a newer patched version

Plugin: Reviews and Rating – Google Reviews

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 5.3
Recommended Action: Update to version 5.3, or a newer patched version

Plugin: Simple Testimonials Showcase

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.6
Recommended Action: Update to version 1.1.6, or a newer patched version

Plugin: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.9.1
Recommended Action: Update to version 6.9.1, or a newer patched version

Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 4.1.2
Recommended Action: Update to version 4.1.2, or a newer patched version

Plugin: Icon Widget

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.4.0
Recommended Action: Update to version 1.4.0, or a newer patched version

Plugin: Widget Bundle

Vulnerability: Cross-Site Request Forgery to Widget Disable/Enable
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Modal Window – create popup modal window

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 5.3.9
Recommended Action: Update to version 5.3.9, or a newer patched version

Plugin: Newsletter2Go

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via style
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Unauthenticated Stored Cross-Site Scripting via SVG Upload
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Text Field
Patched Version: 1.5.108
Recommended Action: Update to version 1.5.108, or a newer patched version

Plugin: Shopping Cart & eCommerce Store

Vulnerability: Missing Authorization
Patched Version: 5.6.0
Recommended Action: Update to version 5.6.0, or a newer patched version

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Button onclick attribute
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: DOP Shortcodes

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Featured Image from URL (FIFU)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url
Patched Version: 4.6.3
Recommended Action: Update to version 4.6.3, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Insecure Direct Object Reference to Arbitrary Attachment Deletion
Patched Version: 4.4.5
Recommended Action: Update to version 4.4.5, or a newer patched version

Plugin: Schema & Structured Data for WP & AMP

Vulnerability: Authenticated (Custom) Stored Cross-Site Scripting
Patched Version: 1.27
Recommended Action: Update to version 1.27, or a newer patched version

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS
Patched Version: 4.3.0
Recommended Action: Update to version 4.3.0, or a newer patched version

Plugin: Uploadcare File Uploader and Adaptive Delivery (beta)

Vulnerability: Cross-Site Request Forgery
Patched Version: 3.1.0
Recommended Action: Update to version 3.1.0, or a newer patched version

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.1.78
Recommended Action: Update to version 3.1.78, or a newer patched version

Plugin: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.6.25
Recommended Action: Update to version 1.6.25, or a newer patched version

Core: WordPress

Vulnerability: Insufficient Sanitization of Block Attributes
Patched Version: 4.1.38
Recommended Action: Update to one of the following versions, or a newer patched version: 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1

Plugin: Post Grid and Gutenberg Blocks – ComboBlocks

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.81
Recommended Action: Update to version 2.2.81, or a newer patched version

Plugin: Visual Composer Website Builder

Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: 45.9.0
Recommended Action: Update to version 45.9.0, or a newer patched version

Plugin: Shariff Wrapper

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6.10
Recommended Action: Update to version 4.6.10, or a newer patched version

Plugin: Similarity

Vulnerability: Cross-Site Request Forgery to Plugin Reset
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Vulnerability: Missing Authorization via get_jltma_save_menuitem_settings()
Patched Version: 2.0.5.6
Recommended Action: Update to version 2.0.5.6, or a newer patched version

Plugin: Booster Extension

Vulnerability: Basic Information Exposure via booster_extension_authorbox_shortcode_display
Patched Version: 1.2.1
Recommended Action: Update to version 1.2.1, or a newer patched version

Plugin: WPB Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2
Recommended Action: Update to version 1.2, or a newer patched version

Plugin: MelaPress Login Security

Vulnerability: Authenticated (Admin+) Remote File Inclusion
Patched Version: 1.3.1
Recommended Action: Update to version 1.3.1, or a newer patched version

Plugin: Gum Elementor Addon

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version

Plugin: Responsive video embed

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.5.1
Recommended Action: Update to version 0.5.1, or a newer patched version

Plugin: List categories

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 0.5
Recommended Action: Update to version 0.5, or a newer patched version

Plugin: WP STAGING WordPress Backup Plugin – Migration Backup Restore

Vulnerability: Authenticated (Admin+) Arbitrary File Upload
Patched Version: 3.5.0
Recommended Action: Update to version 3.5.0, or a newer patched version

Plugin: Preferred Languages

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Safety Exit

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Emergency Password Reset

Vulnerability: Cross-Site Request Forgery
Patched Version: 9.0
Recommended Action: Update to version 9.0, or a newer patched version

Plugin: Jotform Online Forms – Drag & Drop Form Builder, Securely Embed Contact Forms

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 1.3.2
Recommended Action: Update to version 1.3.2, or a newer patched version

Core: WordPress

Vulnerability: Self-Cross Site Scripting via Theme Folder Name
Patched Version: 3.7.34
Recommended Action: Update to one of the following versions, or a newer patched version: 3.7.34, 3.8.34, 3.9.32, 4.0.31, 4.1.31, 4.2.28, 4.3.24, 4.4.23, 4.5.22, 4.6.19, 4.7.18, 4.8.14, 4.9.15, 5.0.10, 5.1.6, 5.2.7, 5.3.4, 5.4.2

Plugin: Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via File Field CSS
Patched Version: 2.6.4
Recommended Action: Update to version 2.6.4, or a newer patched version

Plugin: WP Email Template

Vulnerability: HTML injection
Patched Version: 2.2.11
Recommended Action: Update to version 2.2.11, or a newer patched version

Plugin: Pray For Me

Vulnerability: Cross-Site Request Forgery to Settings Update
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WooCommerce

Vulnerability: Authenticated (Admin+) HTML Injection
Patched Version: 6.6.0
Recommended Action: Update to version 6.6.0, or a newer patched version

Plugin: The Events Calendar

Vulnerability: Missing Authorization to Authenticated (Contributor+) Arbitrary Events Access
Patched Version: 6.4.0.1
Recommended Action: Update to version 6.4.0.1, or a newer patched version

Plugin: Elementor Addon Elements

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Thumbnail Slider Widget
Patched Version: 1.13
Recommended Action: Update to version 1.13, or a newer patched version

Plugin: Smartarget Message Bar

Plugin: FS Product Inquiry

Plugin: ANAC XML Viewer

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.7.1
Recommended Action: Update to version 1.7.1, or a newer patched version

Plugin: Tracking Code Manager

Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 2.3.0
Recommended Action: Update to version 2.3.0, or a newer patched version

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 3.31
Recommended Action: Update to version 3.31, or a newer patched version

Plugin: NS WooCommerce Watermark

Vulnerability: Abuse of Functionality
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm-all-packages Shortcode
Patched Version: 3.2.91
Recommended Action: Update to version 3.2.91, or a newer patched version

Plugin: WordPress File Upload

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.24.6
Recommended Action: Update to version 4.24.6, or a newer patched version

Plugin: JetWidgets For Elementor

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Button URL
Patched Version: 1.0.17
Recommended Action: Update to version 1.0.17, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget
Patched Version: 2.7.4.3
Recommended Action: Update to version 2.7.4.3, or a newer patched version

Plugin: Blocksy Companion

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 2.0.43
Recommended Action: Update to version 2.0.43, or a newer patched version

Plugin: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Vulnerability: Email Verification Bypass due to Insufficient Randomness
Patched Version: 2.8.10
Recommended Action: Update to version 2.8.10, or a newer patched version

Plugin: Swiss Toolkit For WP

Vulnerability: Authenticated (Contributor+) Authentication Bypass
Patched Version: 1.0.8
Recommended Action: Update to version 1.0.8, or a newer patched version

Plugin: Crelly Slider

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.3
Recommended Action: Update to version 1.58.3, or a newer patched version

Plugin: KiviCare – Clinic & Patient Management System (EHR)

Vulnerability: Authenticated (Patient+) Insecure Direct Object Reference
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Add Layer class, id, and title Attributes
Patched Version: 6.7.11
Recommended Action: Update to version 6.7.11, or a newer patched version

Plugin: SureTriggers: All-in-One WordPress Automation

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Trigger Link Shortcode
Patched Version: 1.0.48
Recommended Action: Update to version 1.0.48, or a newer patched version

Plugin: Comparison Slider

Plugin: ActiveDEMAND

Vulnerability: Cross-Site Request Forgery
Patched Version: 0.2.44
Recommended Action: Update to version 0.2.44, or a newer patched version

Plugin: Insert Post Ads

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: 1.3.9
Recommended Action: Update to version 1.3.9, or a newer patched version

Plugin: Social Pixel

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.9.9
Recommended Action: Update to version 5.9.9, or a newer patched version

Plugin: Knight Lab Timeline

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 3.9.3.4
Recommended Action: Update to version 3.9.3.4, or a newer patched version

Plugin: SEOPress – On-site SEO

Vulnerability: Authenticated (Contributor+) Open Redirect
Patched Version: 7.8
Recommended Action: Update to version 7.8, or a newer patched version

Plugin: Lightbox & Modal Popup WordPress Plugin – FooBox Premium

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 2.7.28
Recommended Action: Update to version 2.7.28, or a newer patched version

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via form widget addr2_width attribute
Patched Version: 2.10.31
Recommended Action: Update to version 2.10.31, or a newer patched version

Plugin: Checkout Field Editor for WooCommerce (Pro)

Vulnerability: Unauthenticated Arbitrary File Deletion
Patched Version: 3.6.3
Recommended Action: Update to version 3.6.3, or a newer patched version

Plugin: Download Manager

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode
Patched Version: 3.2.94
Recommended Action: Update to version 3.2.94, or a newer patched version

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget
Patched Version: 4.10.32
Recommended Action: Update to version 4.10.32, or a newer patched version

Plugin: Amen

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Widget
Patched Version: 3.2.26
Recommended Action: Update to version 3.2.26, or a newer patched version

Plugin: Simple Testimonials Showcase

Plugin: Logo Manager For Enamad

Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 0.7.1
Recommended Action: Update to version 0.7.1, or a newer patched version

Plugin: Event Tickets with Ticket Scanner

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.3.2
Recommended Action: Update to version 2.3.2, or a newer patched version

Plugin: Link Library

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 7.6.7
Recommended Action: Update to version 7.6.7, or a newer patched version

Plugin: Advanced Custom Fields (ACF)

Vulnerability: Authenticated (Contributor+) Arbitrary Custom Field Access
Patched Version: 6.3.0
Recommended Action: Update to version 6.3.0, or a newer patched version

Plugin: Cowidgets – Elementor Addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via heading_tag Parameter
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version

Plugin: WP To Do

Vulnerability: Cross-Site Request Forgery via wptodo_settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: GiveWP – Donation Plugin and Fundraising Platform

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.6.0
Recommended Action: Update to version 3.6.0, or a newer patched version

Plugin: Sync Post With Other Site

Vulnerability: Cross-Site Request Forgery
Patched Version: 1.5.2
Recommended Action: Update to version 1.5.2, or a newer patched version

Plugin: Global Notification Bar

Plugin: Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce

Vulnerability: Authenticated(Subscriber+) Stored Cross-Site Scripting via Templates
Patched Version: 3.4.7
Recommended Action: Update to version 3.4.7, or a newer patched version

Plugin: Watu Quiz

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.4.1.1
Recommended Action: Update to version 3.4.1.1, or a newer patched version

Plugin: YML for Yandex Market

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 4.2.4
Recommended Action: Update to version 4.2.4, or a newer patched version

Plugin: Database for Contact Form 7, WPforms, Elementor forms

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version

Plugin: Download Monitor

Vulnerability: Missing Authorization
Patched Version: 4.9.14
Recommended Action: Update to version 4.9.14, or a newer patched version

Plugin: Page Builder: Pagelayer – Drag and Drop website builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via custom attributes
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version

Plugin: Content Blocks (Custom Post Widget)

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Shortcode
Patched Version: 3.3.1
Recommended Action: Update to version 3.3.1, or a newer patched version

Plugin: Essential Real Estate

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 4.4.3
Recommended Action: Update to version 4.4.3, or a newer patched version

Plugin: WPUpper Share Buttons

Vulnerability: Missing Authorization
Patched Version: 3.50
Recommended Action: Update to version 3.50, or a newer patched version

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

Vulnerability: Missing Authorization to Information Expsoure
Patched Version: 10.24
Recommended Action: Update to version 10.24, or a newer patched version

Plugin: CB (legacy)

Plugin: Login Logout Register Menu

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘llrmloginlogout’ Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Feed
Patched Version: 5.9.22
Recommended Action: Update to version 5.9.22, or a newer patched version

Plugin: Frontend Registration – Contact Form 7

Vulnerability: Authenticated (Editor+) Privilege Escalation
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Premium Addons for Elementor

Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Global Tooltip
Patched Version: 4.10.32
Recommended Action: Update to version 4.10.32, or a newer patched version

Plugin: WPBakery Visual Composer

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author
Patched Version: 7.6
Recommended Action: Update to version 7.6, or a newer patched version

Plugin: Royal Elementor Addons and Templates

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Back to Top Widget
Patched Version: 1.3.976
Recommended Action: Update to version 1.3.976, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via photo widget crop attribute
Patched Version: 2.8.1.3
Recommended Action: Update to version 2.8.1.3, or a newer patched version

Plugin: ElementsKit Elementor addons

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version

Plugin: Login with phone number

Vulnerability: Authentication Bypass due to Missing Empty Value Check
Patched Version: 1.7.27
Recommended Action: Update to version 1.7.27, or a newer patched version

Plugin: Fastly

Vulnerability: Missing Authorization
Patched Version: 1.2.26
Recommended Action: Update to version 1.2.26, or a newer patched version

Plugin: Responsive Contact Form Builder & Lead Generation Plugin

Vulnerability: Missing Authorization
Patched Version: 1.9.0
Recommended Action: Update to version 1.9.0, or a newer patched version

Plugin: Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.2.24
Recommended Action: Update to version 3.2.24, or a newer patched version

Plugin: AppPresser – Mobile App Framework

Vulnerability: Improper Missing Encryption Exception Handling to Authentication Bypass
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Vulnerability: Tables & Table Charts (Premium) <= 6.3.2
Patched Version: 6.4
Recommended Action: Update to version 6.4, or a newer patched version

Plugin: Ninja Forms – The Contact Form Builder That Grows With You

Vulnerability: Authenticated (Administrator+) Stored HTML Injection
Patched Version: 3.6.26
Recommended Action: Update to version 3.6.26, or a newer patched version

Plugin: Testimonial Carousel For Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 10.2.3
Recommended Action: Update to version 10.2.3, or a newer patched version

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.10.2
Recommended Action: Update to version 3.10.2, or a newer patched version

Plugin: Beaver Builder – WordPress Page Builder

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via heading tag
Patched Version: 2.7.4.5
Recommended Action: Update to version 2.7.4.5, or a newer patched version

Plugin: Simple Popup Manager

Plugin: Travelpayouts: All Travel Brands in One Place

Vulnerability: Open Redirect
Patched Version: 1.1.17
Recommended Action: Update to version 1.1.17, or a newer patched version

Plugin: Auto Featured Image (Auto Post Thumbnail)

Vulnerability: Authenticated (Author+) Server-Side Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: WP-Recall – Registration, Profile, Commerce & More

Vulnerability: Cross-Site Request Forgery
Patched Version: 16.26.7
Recommended Action: Update to version 16.26.7, or a newer patched version

Plugin: WP To Do

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Settings
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Orbit Fox by ThemeIsle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.10.31
Recommended Action: Update to version 2.10.31, or a newer patched version

Plugin: Front End Users

Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.2.25
Recommended Action: Update to version 3.2.25, or a newer patched version

Plugin: Ecwid by Lightspeed Ecommerce Shopping Cart

Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 6.12.11
Recommended Action: Update to version 6.12.11, or a newer patched version

Plugin: Tainacan

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 0.21.4
Recommended Action: Update to version 0.21.4, or a newer patched version

Plugin: Elements For Elementor

Vulnerability: Authenticated (Contributor+) Local File Inclusion via Multiple Widget Attributes
Patched Version: 2.2
Recommended Action: Update to version 2.2, or a newer patched version

Plugin: Pray For Me

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.8
Recommended Action: Update to version 1.58.8, or a newer patched version

Plugin: WordPress Infinite Scroll – Ajax Load More

Vulnerability: Authenticated (Contributor+) Cross-Site Scripting
Patched Version: 7.1.2
Recommended Action: Update to version 7.1.2, or a newer patched version

Plugin: Yumpu E-Paper publishing

Vulnerability: Missing Authorization to PDF Upload, Publishing, and API Key Modification
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version

Plugin: QQWorld Auto Save Images

Vulnerability: Missing Authorization to Arbitrary Post Content Retrieval
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Follow Us Badges

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wpsite_follow_us_badges Shortcode
Patched Version: 3.1.11
Recommended Action: Update to version 3.1.11, or a newer patched version

Plugin: Browser Theme Color

Vulnerability: Cross-Site Request Forgery via btc_settings_page
Patched Version: 1.4
Recommended Action: Update to version 1.4, or a newer patched version

Plugin: WP Go Maps (formerly WP Google Maps)

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: 9.0.37
Recommended Action: Update to version 9.0.37, or a newer patched version

Plugin: Nafeza Prayer Time

Plugin: Church Admin

Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 4.4.0
Recommended Action: Update to version 4.4.0, or a newer patched version

Plugin: SVGMagic

Plugin: wpForo Forum

Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 2.3.4
Recommended Action: Update to version 2.3.4, or a newer patched version

Plugin: Open Graph

Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: 1.11.3
Recommended Action: Update to version 1.11.3, or a newer patched version

Plugin: LiveJournal Shortcode

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Jobs for WordPress

Vulnerability: Reflected Cross-Site Scripting via job-search
Patched Version: 2.7.6
Recommended Action: Update to version 2.7.6, or a newer patched version

Plugin: Slider Revolution

Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting
Patched Version: 6.7.0
Recommended Action: Update to version 6.7.0, or a newer patched version

Plugin: Essential Addons for Elementor Pro

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Carousel Widget
Patched Version: 5.8.15
Recommended Action: Update to version 5.8.15, or a newer patched version

Plugin: Social Login Lite For WooCommerce

Vulnerability: Authentication Bypass
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: Happy Addons for Elementor

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion
Patched Version: 3.11.0
Recommended Action: Update to version 3.11.0, or a newer patched version

Plugin: Brizy – Page Builder

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.4.41
Recommended Action: Update to version 2.4.41, or a newer patched version

Plugin: Widget Bundle

Plugin: wpDataTables (Premium)

Vulnerability: Tables & Table Charts (Premium) <= 6.3.1
Patched Version: 6.3.2
Recommended Action: Update to version 6.3.2, or a newer patched version

Plugin: MJ Update History

Plugin: PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode

Plugin: Just Writing Statistics

Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version

Plugin: Hueman Addons

Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Plugin: SiteOrigin Widgets Bundle

Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.58.4
Recommended Action: Update to version 1.58.4, or a newer patched version

***

Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.

About the Author

Odell Duppins Jr

Well qualified professional with plenty of hands on experience with various technologies. Excellent analytical and troubleshooting skills with a keen ability of developing and/or simplifying processes by finding and developing new innovative solutions.